ISMS ISO solution
For information security officers who want to build an ISMS in line with internationally recognized standards within the shortest time yet without complex Excel applications.
Save valuable time with the risk2value ISMS ISO solution and enjoy the benefits of a professional, automated tool for information security.
Highlights of the risk2value ISMS ISO solution
With the risk2value ISO solution, you bank on state-of-the-art technology to efficiently map your information security processes.
The central gateway for all users is the dashboard, which presents a comprehensive view of status information and metrics on risk analyses, measures, and proof of effectiveness. Users can access their own to-do lists in the dashboard. The CISO and senior management receive a clear overview of critical information for their roles including any recommended actions.
Workflow-driven support for recording risks and measures
Workflows are defined for the entire ISMS to support users throughout the recording process. With the help of an authorization system, you can specify which user can edit which data with which status. This clearly defines the areas with read or write access as well as the capabilities to create, edit or approve for each user in risk2value.
Reports utilize the comprehensive analytic capabilities in risk2value to visualize information in a compact format that appeals to managers. The Statement of Applicability, for example, presents a complete summary on the appropriateness and maturity of the controls listed in Annex A of ISO 27001 and the associated measures that are implemented in the company.These reports can be generated at the touch of a button for management reviews as well as internal and external audits.
risk2value automatically sends an email when a defined event occurs to inform the affected users. When the status of an action changes and, therefore, triggers a change in responsibilities, that new person will be informed instantly.
Relays execute defined procedures to automatically run a series of individual steps. These procedures can be scheduled or triggered on demand, for example, at the restart of the ISMS, the restart of assessments, or as part of ongoing improvements to the ISMS.
risk2value provides audit-proof archiving. All data is stored securely so that it can be later used in dashboards or reports, for example, to compare individual risks over longer periods. Data can be archived automatically or manually.
risk2value ISO solution: The business side
The risk2value standard solution for ISMS (information security management) was developed based on ISO 27001 and incorporates the vast hands-on experience gained in numerous implementation projects.
ISO 27001 is an internationally recognized standard that outlines the requirements to successfully document and implement an information security management system. The objective of an ISMS is to systematically manage information security in order to protect the confidentiality, integrity and availability of information and assets as well as efficiently identify and reduce potential threats. The ISO/IEC 27001 standard is comprised of over 30 documents that support companies throughout an ISMS implementation.
ISO/IEC 27001:2013 certification is the leading choice for companies that do not require more specific frameworks (e.g., for cloud services, cloud computing, energy sector).
Our ISMS ISO solution follows the following basic approach:
Identify processes and assets.
The goal of this phase is to list all (critically) used assets. An asset in this context can be anything deemed essential to that company. According to ISO 27002 and ISO 27005, assets can be organized in the following groups: information, software, buildings, facilities, vehicles, equipment, hardware, data carriers, computer and communication services, utilities, employees including their qualifications, and intangibles (e.g., the reputation and image of the organization).
An asset owner will be then be assigned to each identified asset as required by ISO 27001:2013. This can be a single person or a group of individuals who are responsible for the administration of the respective asset including any related risks and measures.
A business impact analysis (BIA), one of the most effective instruments for assessing risks, plays a key role during this phase. This analysis assesses security objects with regard to their financial effects, impairments to completing tasks, breaches of the law, guidelines and contracts, or any negative internal and external effects.
The second phase focuses on risk identification. The company determines a comprehensive list of risks that are relevant for its business activities and could be damaging to corporate objectives. Ideally, this should be a workflow-driven process. The individuals responsible for the ISMS typically compile these risk scenarios in cooperation with the respective department managers following a series of in-depth workshops. Creating risk scenarios is a method used to determine the occurrence of risks that could be damaging to the security goals related to the confidentiality, integrity or availability of the information system and, therefore, the business objectives.
Identify threats and vulnerabilities.
Identify actions already implemented or planned.
A further aspect of risk identification is the identification of existing measures. This takes into consideration that companies have already implemented measures and, therefore, fulfill some of the controls in Annex A of ISO 27001 such as a password policy. Nevertheless, these measures may not yet meet the maturity level necessary for certification and, therefore, must be analyzed in light of currency, effectiveness and nonconformity. This minimizes duplication and unnecessary costs.
All identified risks are examined within the risk analysis. Once the probability of occurrence and the potential damages are assessed, a risk value is calculated and can be ascertained in the ISMS ISO solution in a quantitative or qualitative (i.e., using a heat map) manner.
How risk controls are defined will determine how the company deals with the risk observed. Depending on the risk tendency, which can range from a risk aversion to risk neutrality or risk appetite, there are four different ways to approach a risk: acceptance, reduction, avoidance and transfer. The goal is to reduce the subsequent risk to a level so low that the remaining risk can be quantified and accepted.
Examine the risks that have been identified.
Specify actions in the risk treatment plan.
The next step is determining how to cope with the risks that have been analyzed. An external auditor will expect a risk treatment plan which outlines actions that have been taken or are planned for dealing with risks. This plan, which is to be approved by the designated risk or measure manager and/or senior management, provides information on the implementation status of each measure.
Actions can be documented in the risk2value ISMS ISO solution by risk treatment strategy, implementation and execution responsibilities, and the reduction of costs, damages and probability of occurrence.
A statement of applicability (SoA) declares that the company has carefully reviewed all controls from Annex A, taken them into consideration, and incorporated them into its corporate goals and information security risks. It describes the measure goals and measures within the company’s scope and references the 114 measures and controls from Annex A of ISO/IEC 27001:2013 or ISO/IEC 27002. Together with the scope, the SoA is a core requirement for obtaining ISO certification for the ISMS.
Document the applicability (Statement of Applicability).
Review the ISMS as part of management reviews.
Since ISO 27001 requires ongoing improvements to operational effectiveness, top management should check the currency and suitability of the information security systems with the support of the ISMS officer at least once a year. The topics for these types of management reviews can include: results of the risk analysis and implementation status of the measures, effectiveness of the implemented measures, internal and external audit results, nonconformity, corrective measures, and results of measurements (e.g., company-specific KPI’s, general information security performance, developments in ISMS).
To maintain information security during operations, companies conduct procedures for determining information security incidents in line with ISO 27001:2013, Annex A.16 (Information Security Incident Management). This ensures that a security-relevant incident, in the event it should ever occur, is handled efficiently. These procedures include incident reporting as well as assessments and treatment including the collection of evidence.
Incidents are typically nonconformities that affect the continual improvement process within the company and, therefore, the maturity of the ISMS. Based on the incident assessments and the resulting insights, the company will initiate corrective measures. These are designed to minimize any impairments to the availability, integrity or confidentiality of information as well as identify and correct vulnerabilities in the ISMS and prevent any future incidents.
Initiate procedures to deal with incidents.
Verify the effectiveness of the ISMS in internal audits.
Internal audits are to be conducted on a regular basis to check the effectiveness of the ISMS and continually improve the management system. The ISO standard states that an internal audit must be conducted at least once during a given certification cycle. The procedure, which closely resembles that of an external audit, can focus on either the entire organization or a specific division or department.
The results are then used for future certification audits and are treated as findings.
Qualified auditors can conduct external audits on behalf of a certification body to ensure that the management system conforms to ISO 27001. The audit will determine which deficits and variances the company’s ISMS still has in comparison to the standard.
The risk2value ISMS ISO solution provides built-in support to assist in planning a pre-audit, certification audit, monitoring audit and recertification.
Have external audits performed by certification bodies.
Handle findings from audits or management reviews.
Findings are created in a variety of contexts and show the results of external and internal audits or management reviews. They cover norm variances or general security vulnerabilities that the ISMS has appraised and treated. Depending on their criticality, findings are classified as a major nonconformity, minor nonconformity, observance, recommendation, or opportunity for improvement. Major nonconformities or several minor nonconformities often stand in the way of the certification and should be resolved as soon as possible.
A key requirement for the successful implementation of an information security management system is documenting the decisions made and the goals set for the ISMS. Documented information is necessary, for example, to define and communicate information security goals, policies, guidelines, directions, processes and procedures. It is also used during the certification audit. Many sections of the ISO standard require documentation that must be officially approved and made available in an audit-proof manner to interested parties. Since companies document additional information depending on their objectives and desired level of maturity, its scope may vary.
Document decisions made and goals sought.
Get the risk2value ISMS ISO Solution Demo
Would you like to view the risk2value ISMS ISO solution in action?
We’d be happy to show you the tool in an exclusive live demo.
We'd be happy to assist!
Sales Specialist & Account Manager