12-Month ISM| 5 | Training & Access Control:
• Conduct the first company-wide Security Awareness Training campaign.
• Conduct the first `Quarterly User Access Review` for critical systems.
• Begin hardening critical systems based on defined baselines. | • 95%+ of workforce completes security awareness training.
• 100% of mandated access reviews are completed and signed off by managers.
• 0 critical deviations from the security baseline on newly hardened systems. | Implementation Roadmap (ISMS-SUP-003)

Goal: Establish baseline security controls and gain visibility into the environment.

Month	Key Deliverables & Activities	Key Metrics for Success
1	Official Kick-Off & Scoping: • Finalize policies & obtain leadership sign-off. • Formally assign key roles (Security Officer, etc.). • Complete Gap Analysis and Data Discovery.	• 100% of policies formally approved and signed. • 100% of key security roles assigned in a RACI chart. • Gap analysis and data inventory documents completed.
2	Identity & Endpoint Security: • Deploy and enforce Multi-Factor Authentication (MFA) for all critical systems. • Deploy an Endpoint Detection & Response (EDR) solution to all workstations. • Roll out a company-wide Password Manager.	• 95%+ of users enrolled in MFA for critical systems. • 100% of corporate endpoints have an active EDR agent. • 80%+ of workforce actively using the password manager.
3	Initial Vulnerability Management: • Implement a vulnerability scanning tool for cloud and application assets. • Conduct initial baseline scans to understand the current risk posture. • Begin triaging critical and high-risk findings.	• 90%+ of production assets covered by vulnerability scans. • 100% of identified critical vulnerabilities have a remediation ticket created. • Reduction in the number of “quick win” high-risk vulnerabilities by 25%.

Goal: Move from ad-hoc actions to repeatable, defined security processes.

Month	Key Deliverables & Activities	Key Metrics for Success
4	Formalize Core Processes: • Implement the formal `Change Control Procedure` using GitHub. • Implement the `Vendor Risk Assessment Procedure` for all new vendors. • Implement the formal `HR Onboarding/Offboarding Procedures`.	• 100% of production code changes are deployed via the new change control process. • 100% of new vendors undergo a documented risk assessment. • 100% of new hires and terminations follow the documented security checklists.
5	Training & Access Control: • Conduct the first company-wide Security Awareness Training campaign. • Conduct the first `Quarterly User Access Review` for critical systems. • Begin hardening critical systems based on defined baselines.	• 95%+ of workforce completes security awareness training. • 100% of required access reviews are completed and signed off by managers. • 0 critical deviations from the security baseline on newly hardened systems.
6	Incident Response Preparation: • Finalize the `Incident Response Plan (IRP)`. • Define and document Incident Commander and IRT roles. • Configure SIEM/logging to capture critical events for detection.	• IRP document is formally approved. • Incident Response Team roster is published and communicated. • 90%+ of critical systems are sending logs to a central SIEM.

Goal: Validate the effectiveness of implemented controls and mature security practices.

Month	Key Deliverables & Activities	Key Metrics for Success
7	Engage Third-Party Assessors: • Select and contract a vendor for the annual penetration test. • Select and contract an audit firm for the future SOC 2 audit. • Conduct the first `BCDR Tabletop Exercise`.	• Pen test and audit contracts signed. • BCDR tabletop exercise completed with a post-exercise report generated. • 100% of IRT members participate in the exercise.
8	Penetration Testing & Remediation: • Execute the annual third-party penetration test. • Triage findings from the test report and create a remediation plan. • Begin remediating high-risk findings from the pen test.	• Pen test report received. • 100% of critical and high-risk findings have a remediation plan with an assigned owner. • Mean Time to Remediate (MTTR) for critical vulnerabilities is under 15 days.
9	Mature Vendor & AI Governance: • Begin reviewing existing high-risk vendors against the new policy. • Implement the `AI Tool Risk Assessment Procedure` for any new AI tools being considered by teams.	• 50% of existing high-risk vendors have a completed risk assessment on file. • 100% of new AI tool requests follow the formal assessment procedure. • 0 unapproved AI tools are detected processing company data.

Goal: Prepare for external audits and ensure the ISMS is a continuous, improving program.

Month	Key Deliverables & Activities	Key Metrics for Success
10	Internal Audit & Evidence Gathering: • Conduct the first `Internal Audit` against the policy set. • Begin systematically collecting evidence (artifacts) for the upcoming SOC 2 audit. • Remediate any gaps found during the internal audit.	• Internal audit completed and report issued. • 75%+ of evidence requests for the upcoming SOC 2 are fulfilled and organized. • 100% of high-risk internal audit findings have a documented corrective action plan.
11	Formal Risk & BIA Assessment: • Conduct the formal `Annual Risk Assessment`. • Conduct the formal `Business Impact Analysis (BIA)`. • Present findings to the Information Security Committee.	• Annual Risk Assessment report is approved by leadership. • Business Impact Analysis (BIA) report is approved by leadership. • Top 5 company risks are identified and have a documented treatment plan.
12	Final Review & Planning for Year 2: • Hold the final quarterly Information Security Committee meeting of the year. • Review progress against the roadmap and finalize the audit schedule. • Develop the roadmap for the following year based on risk assessment and audit findings.	• Q4 committee meeting held with documented minutes. • Formal audit date is scheduled. • Year 2 Roadmap is drafted and presented to leadership for approval.

ISMS Policies & Procedures