Data Governance, Security, and Privacy

This topic is for security and privacy feedback during DAC 2022.


Hi @mmarkevich ,
How long does it take to be ideal in the implementation of security and privacy? Is referring to security and privacy standards (such as ISO 27701 and ISO 27001) a good idea for implementation?



If you plan to implement ISO 27001 management system and aim to cover all applicable requirements, this process typically takes at least a year. Having no idea about your scope, the timeline will be:

  • Assess the current state, including risk assessment, asset inventory, etc (~2 months)
  • Plan the implementation (~1 month);
  • Implement, including writing framework documents, implementing the changes, performing training, etc. (~6-8 months);
  • Test and fix what is not working (~1-3 months).

For an auditable result (e.g. if you plan to obtain an official certification), you need to have a functioning ISMS for at least 6 months so that auditors could collect evidence.

If you’d like to make it simple and lightweight, you can implement the most critical requirements (access control, change management, data backup, incident handling) and reduce the scope of the ISMS. This can take less time and effort.