Information Security Management System Use Case Design

This topic explains the Information Security Management System use case design.

Architecture Diagram

The following diagram shows the relationships between the applications and questionnaires in the ISMS use case.

Download the source file of the diagram here: Information Security Management System Architecture Diagram

Information Security Management System use case architecture diagram

Applications & Questionnaires

The following table describes the use case applications and questionnaires.

Application/Questionnaire

Description

ISMS

The ISMS application serves as a repository for key policies and processes, and manages the controls and risks to its information assets. You can catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, facilities, and document and maintain related policies, standards, and risks. Additionally, you can view the status of your risk assessments and link to any findings associated with your ISMS.

Statement of Applicability

The Statement of Applicability (SOA) application allows users to export the SOA, which is a document that can be used for reporting and certification to auditors and third-party vendors to display ISO 27001 compliance. The SOA details organizational controls that have been identified to address risks that were outlined in the Risk Management Framework, states whether the controls have been implemented, and details why those controls were chosen. The Statement of Applicability is typically prepared by the ISMS Manager or ISMS Users.

ISMS Audit

The ISMS Audit application acts as a container for controls linked to risks facing the ISMS project. The key details of each control are copied into the ISMS Audit application via a data feed, along with corresponding control standards. This application provides Internal Auditors with a method of evaluating the key characteristics of each control. The data represents a snapshot of the control at a point in time, and will not be affected by updates to the corresponding Control Procedures record.

ISMS Risks

The ISMS Risks application stores risks identified by ISMS stakeholders in the Risk Management Framework section of the ISMS application. Each identified risk is copied via a data feed into the ISMS Risks application, along with corresponding Findings and key data from the Risks application (Risk Event Category, Description, Response Type, Inherent, Residual, and Calculated Residual Risk). This data represents a snapshot of a risk at a point in time, and will not be affected by updates to the corresponding Risks record. Control Procedures related to each Risk are subsequently copied into the ISMS Controls application, which is linked to ISMS Risks.

ISO 27001 GAP Analysis questionnaire

The ISO 27001 Gap Analysis questionnaire contains 204 questions designed to identify compliance gaps against the ISO 27001 information security standard. This questionnaire allows you to identify which ISO 27001 controls your organization has in place and which controls still need to be implemented. For each question answered incorrectly, a Finding is generated, which identifies a deficiency in your ISMS posture. The organization may then choose to accept or mitigate the risk.

ISMS Controls

The ISMS Controls application stores Control Procedures linked to risks that were identified by ISMS stakeholders in the Risk Management Framework section of the ISMS application. Each control that corresponds to the identified risk is copied into the ISMS Controls application, along with key data from Control Procedures (Procedure Name, Type, Compliance, Testing Properties, etc). This data represents a snapshot of the controls at a point in time and is not affected by updates to the corresponding Control Procedures record. A cross-reference to the related Control Procedures and ISMS Risk is also included on layout.

Applications

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

Business Processes

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

Note: The Business Processes application is included in the Enterprise Catalog package.

Risks (formerly Risk Register)

The Risks application serves as the corporate controlled instantiation of risks used by the entire organization. It allows users to capture data for an instance of a risk from any given risk statement. Risks are associated to processes, objectives, applications, facilities, key risk indicators, financial losses, and controls. Quantitative risks serve as an aggregation point for underlying Risk Events and are separately assigned to quantitative hierarchies for aggregation.

Devices

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

Facilities

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

Information Assets

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

Control Procedures

The Control Procedures application serves as a central repository for instances of control procedures, baselines and activities that are mapped to corporate Primary Controls, establishing the foundation for enterprise-wide risk monitoring and compliance measurement. Control Procedures are categorized into two types: Technical and Process. Based on the selected type, different pieces of information are captured and different testing options are made available.

Note: The Control Procedures application is included in the Enterprise Catalog package.

Personas and access roles

The following table describes the pre-configured use case access roles.

Access Role

Description

ISMS Internal Auditor

Reviews the controls of a given scope to detect any potential issues. Documents the issues and action plan and monitors the issues until they are resolved.

ISMS Manager

Documents ISMS scopes, their context, and the related policies.

ISMS User

Supports the ISMS Manager in preparing the ISMS framework, for example, creating the risk assessments and providing evidence for control tests.

Note: For detailed, page-level access rights, see the Data Dictionary.

For a complete list of application record permission fields, including which user/groups fields populate the fields and where the fields inherit permissions from, see the Data Dictionary.

Additional Access Roles

The following table describes access roles that are included with the ISMS use case package file, however they are not configured out-of-the-box. To create record permissions for these access roles, see Configuring Archer ISMS.

Access Role

Description

ISMS External Auditor

Reviews dashboard that displays relevant information, such as the SoA records and compliance scorecard.

ISMS Process/Asset Owner

Assigned to people who respond to assessments. People assigned to this role are also responsible for implementation of the action plans.

ISMS Read Only

Provides read-only access to all applications and questionnaires in the ISMS use case.

Application-level Rights by User

The following table describes the application-level access rights that are granted to the following out-of-the-box users.
Application ISMS Manager ISMS User ISMS Internal Auditor

ISMS

CRUD

RU

R

ISMS Audit

RUD

R

RU

ISMS Risks

RUD

R

R

ISMS Controls

RUD

R

R

Statement of Applicability

CRUD

R

R

ISO 27001 Gap Analysis

RUD

CRU

R

Contacts

CRU

R

R

Policies

CRU

R

R

Risks

CRU

R

R

Business Processes

CRU

R

R

Information Assets

CRU

R

R

Applications

CRU

R

R

Devices

CRU

R

R

Facilities

CRU

R

R

Remediation Plans

CRU

R

R

Exception Requests

CRU

R

R

Control Procedures

CRU

R

R

Control Standards

CRU

R

R

Authoritative Sources

CRU

R

R

Findings

CRU

 

CRU

Dashboards

The following table describes the use case dashboard.

Dashboard

Description

ISMS Dashboard

Allows ISMS Team members to track remediations, exceptions and report overall compliance to ISO 27001.

Data Feeds

Note: For instructions on setting up the feeds, see Setting Up ISMS Data Feeds.

The following table describes the use case data feeds.

Data Feed

Description

ISMS Relationship Through Business Processes

This feed runs the ISMS Relationship through Business Processes report in the ISMS application to build down all the information assets, applications, devices, and facilities associated with the identified business process or processes. The feed then links those collected entities to the same ISMS record.

ISMS Relationship Through Facilities

This feed runs the ISMS Relationship through Facilities report in the ISMS application to build down all the business processes, information assets, applications, and devices associated with the identified facility or facilities. The feed then links those collected entities to the same ISMS record.

ISMS Relationship Through Information Assets

This feed runs the ISMS Relationship through Information Assets report in the ISMS application to build down all the business processes, applications, devices, and facilities associated with the identified information asset or assets. The feed then links those collected entities to the same ISMS record.

Populate ISMS Risks & Controls

This feed runs the Populate ISMS Risks and ISMS Controls report and creates ISMS Risks for each identified Risks record. For each identified Risks record, an ISMS control record is created for all linked control procedures.

Populate ISMS Audit

This feed runs the Populate ISMS Audit report to generate ISMS Audit records with data derived from ISMS Controls. The ISMS Controls records were previously created as part of the Populate ISMS Risks & Controls data feed. For each ISMS Control record created a subsequent ISMS Audit record is created, with data copied from the Control Procedure Name, Testing Procedure, and cross referenced to the related ISMS Risks, Risks, ISMS Controls, and Control Standards. The Audit Name field in ISMS Audit is automatically generated with the name of the Control Procedure concatenated with the 'Audit' prefix.

Data Dictionary

The Information Security Management System Data Dictionary contains configuration information for the use case.

You can obtain the Data Dictionary for the solution by contacting your Archer Technologies Account Representative.