Information Security Management System Use Case Design
This topic explains the Information Security Management System use case design.
On this page
Architecture Diagram
The following diagram shows the relationships between the applications and questionnaires in the ISMS use case.
Download the source file of the diagram here: Information Security Management System Architecture Diagram
Applications & Questionnaires
Application/Questionnaire |
Description |
---|---|
ISMS |
The ISMS application serves as a repository for key policies and processes, and manages the controls and risks to its information assets. You can catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, facilities, and document and maintain related policies, standards, and risks. Additionally, you can view the status of your risk assessments and link to any findings associated with your ISMS. |
Statement of Applicability |
The Statement of Applicability (SOA) application allows users to export the SOA, which is a document that can be used for reporting and certification to auditors and third-party vendors to display ISO 27001 compliance. The SOA details organizational controls that have been identified to address risks that were outlined in the Risk Management Framework, states whether the controls have been implemented, and details why those controls were chosen. The Statement of Applicability is typically prepared by the ISMS Manager or ISMS Users. |
ISMS Audit |
The ISMS Audit application acts as a container for controls linked to risks facing the ISMS project. The key details of each control are copied into the ISMS Audit application via a data feed, along with corresponding control standards. This application provides Internal Auditors with a method of evaluating the key characteristics of each control. The data represents a snapshot of the control at a point in time, and will not be affected by updates to the corresponding Control Procedures record. |
ISMS Risks |
The ISMS Risks application stores risks identified by ISMS stakeholders in the Risk Management Framework section of the ISMS application. Each identified risk is copied via a data feed into the ISMS Risks application, along with corresponding Findings and key data from the Risks application (Risk Event Category, Description, Response Type, Inherent, Residual, and Calculated Residual Risk). This data represents a snapshot of a risk at a point in time, and will not be affected by updates to the corresponding Risks record. Control Procedures related to each Risk are subsequently copied into the ISMS Controls application, which is linked to ISMS Risks. |
ISO 27001 GAP Analysis questionnaire |
The ISO 27001 Gap Analysis questionnaire contains 204 questions designed to identify compliance gaps against the ISO 27001 information security standard. This questionnaire allows you to identify which ISO 27001 controls your organization has in place and which controls still need to be implemented. For each question answered incorrectly, a Finding is generated, which identifies a deficiency in your ISMS posture. The organization may then choose to accept or mitigate the risk. |
ISMS Controls |
The ISMS Controls application stores Control Procedures linked to risks that were identified by ISMS stakeholders in the Risk Management Framework section of the ISMS application. Each control that corresponds to the identified risk is copied into the ISMS Controls application, along with key data from Control Procedures (Procedure Name, Type, Compliance, Testing Properties, etc). This data represents a snapshot of the controls at a point in time and is not affected by updates to the corresponding Control Procedures record. A cross-reference to the related Control Procedures and ISMS Risk is also included on layout. |
Applications |
The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure. Note: The Applications application is included in the Enterprise Catalog package. |
Business Processes |
The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure. Note: The Business Processes application is included in the Enterprise Catalog package. |
Risks (formerly Risk Register) |
The Risks application serves as the corporate controlled instantiation of risks used by the entire organization. It allows users to capture data for an instance of a risk from any given risk statement. Risks are associated to processes, objectives, applications, facilities, key risk indicators, financial losses, and controls. Quantitative risks serve as an aggregation point for underlying Risk Events and are separately assigned to quantitative hierarchies for aggregation. |
Devices |
The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure. Note: The Devices application is included in the Enterprise Catalog package. |
Facilities |
The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location. Note: The Facilities application is included in the Enterprise Catalog package. |
Information Assets |
The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed. Note: The Information Assets application is included in the Enterprise Catalog package. |
Control Procedures |
The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available. Note: The Control Procedures application is included in the Enterprise Catalog package. |
Personas and access roles
Access Role |
Description |
---|---|
ISMS Internal Auditor |
Reviews the controls of a given scope to detect any potential issues. Documents the issues and action plan and monitors the issues until they are resolved. |
ISMS Manager |
Documents ISMS scopes, their context, and the related policies. |
ISMS User |
Supports the ISMS Manager in preparing the ISMS framework, for example, creating the risk assessments and providing evidence for control tests. |
Note: For detailed, page-level access rights, see the Data Dictionary.
For a complete list of application record permission fields, including which user/groups fields populate the fields and where the fields inherit permissions from, see the Data Dictionary.
Additional Access Roles
Access Role |
Description |
---|---|
ISMS External Auditor |
Reviews dashboard that displays relevant information, such as the SoA records and compliance scorecard. |
ISMS Process/Asset Owner |
Assigned to people who respond to assessments. People assigned to this role are also responsible for implementation of the action plans. |
ISMS Read Only |
Provides read-only access to all applications and questionnaires in the ISMS use case. |
Application-level Rights by User
Application | ISMS Manager | ISMS User | ISMS Internal Auditor |
---|---|---|---|
ISMS |
CRUD |
RU |
R |
ISMS Audit |
RUD |
R |
RU |
ISMS Risks |
RUD |
R |
R |
ISMS Controls |
RUD |
R |
R |
Statement of Applicability |
CRUD |
R |
R |
ISO 27001 Gap Analysis |
RUD |
CRU |
R |
Contacts |
CRU |
R |
R |
Policies |
CRU |
R |
R |
Risks |
CRU |
R |
R |
Business Processes |
CRU |
R |
R |
Information Assets |
CRU |
R |
R |
Applications |
CRU |
R |
R |
Devices |
CRU |
R |
R |
Facilities |
CRU |
R |
R |
Remediation Plans |
CRU |
R |
R |
Exception Requests |
CRU |
R |
R |
Control Procedures |
CRU |
R |
R |
Control Standards |
CRU |
R |
R |
Authoritative Sources |
CRU |
R |
R |
Findings |
CRU |
|
CRU |
Dashboards
Dashboard |
Description |
---|---|
ISMS Dashboard |
Allows ISMS Team members to track remediations, exceptions and report overall compliance to ISO 27001. |
Data Feeds
Note: For instructions on setting up the feeds, see Setting Up ISMS Data Feeds.
Data Feed |
Description |
---|---|
ISMS Relationship Through Business Processes |
This feed runs the ISMS Relationship through Business Processes report in the ISMS application to build down all the information assets, applications, devices, and facilities associated with the identified business process or processes. The feed then links those collected entities to the same ISMS record. |
ISMS Relationship Through Facilities |
This feed runs the ISMS Relationship through Facilities report in the ISMS application to build down all the business processes, information assets, applications, and devices associated with the identified facility or facilities. The feed then links those collected entities to the same ISMS record. |
ISMS Relationship Through Information Assets |
This feed runs the ISMS Relationship through Information Assets report in the ISMS application to build down all the business processes, applications, devices, and facilities associated with the identified information asset or assets. The feed then links those collected entities to the same ISMS record. |
Populate ISMS Risks & Controls |
This feed runs the Populate ISMS Risks and ISMS Controls report and creates ISMS Risks for each identified Risks record. For each identified Risks record, an ISMS control record is created for all linked control procedures. |
Populate ISMS Audit |
This feed runs the Populate ISMS Audit report to generate ISMS Audit records with data derived from ISMS Controls. The ISMS Controls records were previously created as part of the Populate ISMS Risks & Controls data feed. For each ISMS Control record created a subsequent ISMS Audit record is created, with data copied from the Control Procedure Name, Testing Procedure, and cross referenced to the related ISMS Risks, Risks, ISMS Controls, and Control Standards. The Audit Name field in ISMS Audit is automatically generated with the name of the Control Procedure concatenated with the 'Audit' prefix. |
Data Dictionary
The Information Security Management System Data Dictionary contains configuration information for the use case.
You can obtain the Data Dictionary for the solution by contacting your Archer Technologies Account Representative.