Information Security Management System
Company-wide central controlling of information security through risk analyses and implementation of fitting controls.

Methodical and technical challenges

An Information Security Management System (ISMS) arranges itself around the PDCA cycle after the definition of ISO-27001 (see figure). From this cycle one is able to infer in the norm which tasks a complete ISMS has to fulfil. The Information Security Risk Management is only part of an ISMS domain - a GRC tool should therefore fulfill all specifications.

One of the greatest challenges with implementing ISMS is the representation of the complex impact relations between information, IT systems, IT services and processes. These pieces of information are of vital importance for the latter calculation and preparation of ratings. This also includes the possibility of using the same system for various services while the different criticalities of the services remain in context.

If the impact relations between information, systems and processes have been identified and implemented a rating method, allowing weaknesses, imminences and security measurements to be rated with objective criteria and preparing the results with regards to the impact relations, has to be compiled.

After fixing scope and method of rating regular self assessments have to be carried out concerning the rating of imminences and weaknesses as well as planned and carried-out controls. In organisation and creation an ISMS has to leave the CISO its independence and allow the responsible people a comfortable rating.

Apart from the cyclic assessments an ISMS has to offer the possibility to include acyclic incidences and activities in the rating of information security, consisting at first of the documentation and organisation of audits for the objective verification of security measurements through internal and external auditors:

• The audits' weaknesses and deviances further have to be documented and the tracing and treatment have to be supervised, also, assessed and assumed security issues should be documented and traced as well as included in the reports.
• Besides audits and security issues exception regulations for individual systems should be included in the reports so as to document unusual situations and security needs.

The cyclic and acyclic evaluated data should then be consolidated in reports where the information is prepared concerning information need and responsibilities.

Solution description
Risk2value® gives you a flexible model for the assessment of your organisation, service and process hierarchies and the representation of their impact relations. This way IT systems can be used for various services. Apart from this risk2value® allows you to individually rate systems regarding their criticality for different services. Combined with a flexibly configurable aggregation logic reports for the informational needs of individual service managers can be generated. With our product it is also possible to get an overview of the information security standards concerning the entire ISMS impact area, while having free definable rating criteria.

Risk2value® also supports you during the next step, namely the identification of imminences and weaknesses. It is possible to implement the identification locally or individually by the rating users or to orient yourself towards existing frameworks, like for example the ISO-27005. This gives you the advantage of already knowing the impact relations between imminences and weaknesses, so that you only have to adjust them to your needs.

Risk2value® even supports you with the documentation of existing controls. Typically, the controls agreed on in the ISO-27002 are used as a basis for ISMS and being expanded by customer-specific controls. Planned but not yet implemented controls can be documented as changing methods during the assessment. Apart from these documentations of impact decreasing exception regulations provide a basis for further description of controls rating.

Especially with highly heterogeneous IT landscapes our product allows you to document differences in the impact of controls on various different systems, it is even possible to document audits and security issues and include them in the ratings.

After identifying imminences, weaknesses and security measurements the named factors are rated in self assessments through free criteria. Here the results can be aggregated and therefore be prepared for all systems or services and afterwards be displayed in various reports. For this matter risk2value® supplies you with pre-assembled live reports, giving you an overview of the current state of rating. Additionally risk2value® offers the possibility to compile your results in Excel or other systems with help of an OLAP cube. This way you receive flexible ratings of the security situations in different individual areas of service, process and organisation structures.

The risk2value® scorecard for the Information & IT Risk Management usually includes following structures (simplified, see figure):

Asset and service structures – usually including assets for rating, asset groups, IT services, as well as the organisational structures (responsibility areas, business units, etc.)

Business processes – allowing risks not only to be assigned to the responsible risk owners but also to the affected business processes

Business Impact Analysis / security needs verification – questionnaire module for rating and classification of criticality regarding trustability, availability and integrity

Risk catalogues – being a basis for the identification and rating of risks through asset or service owners they can be organised hierarchically (in categories, subcategories, etc.). The use of risk catalogues helps you to identify which risks may lead to damages in various organisation areas and so makes it for example possible for you to develop central mitigation strategies against frequently appearing risks that affect the entire organisation.

Control catalogues (for example ISO-27002) – documentation, assignment and rating of standardised or individual security measurements implementation

Activity management – activity elements like project and security measurements, audit verifications, security issues or exception regulations can also be deposited in the scorecard and be assigned to concrete risks and organisational areas. These activities are then organised by the central, workflow-controlled method management and tracking, allowing evaluations of the amount of open methods, audit verifications or incidents, structured regarding criticality in the various enterprises, business units or IT services.

Key Points

• Representation of customer-specific rating methods for business impact, risk analysis and control assessments
• Workflow-supported method management
• Central controlling and supervising of assessment development
• Local implementation of assessments over the web browser
• Automatic historiography of information/ratings
• Traceability of all changes
• Easy, high-quality risk reporting through OLAP technology
  

Solution context

Zurück zur Übersicht der GRC-Lösungen