Information Security Management System Use Case Design

The ISMS application serves as a repository for key policies and processes, and manages the controls and risks to its information assets. You can catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, facilities, and document and maintain related policies, standards, and risks. Additionally, you can view the status of your risk assessments and link to any findings associated with your ISMS.

The Statement of Applicability (SOA) application allows users to export the SOA, which is a document that can be used for reporting and certification to auditors and third-party vendors to display ISO 27001 compliance. The SOA details organizational controls that have been identified to address risks that were outlined in the Risk Management Framework, states whether the controls have been implemented, and details why those controls were chosen. The Statement of Applicability is typically prepared by the ISMS Manager or ISMS Users.

The ISMS Audit application acts as a container for controls linked to risks facing the ISMS project. The key details of each control are copied into the ISMS Audit application via a data feed, along with corresponding control standards. This application provides Internal Auditors with a method of evaluating the key characteristics of each control. The data represents a snapshot of the control at a point in time, and will not be affected by updates to the corresponding Control Procedures record.

The ISMS Risks application stores risks identified by ISMS stakeholders in the Risk Management Framework section of the ISMS application. Each identified risk is copied via a data feed into the ISMS Risks application, along with corresponding Findings and key data from the Risks application (Risk Event Category, Description, Response Type, Inherent, Residual, and Calculated Residual Risk). This data represents a snapshot of a risk at a point in time, and will not be affected by updates to the corresponding Risks record. Control Procedures related to each Risk are subsequently copied into the ISMS Controls application, which is linked to ISMS Risks.

The ISO 27001 Gap Analysis questionnaire contains 204 questions designed to identify compliance gaps against the ISO 27001 information security standard. This questionnaire allows you to identify which ISO 27001 controls your organization has in place and which controls still need to be implemented. For each question answered incorrectly, a Finding is generated, which identifies a deficiency in your ISMS posture. The organization may then choose to accept or mitigate the risk.

The ISMS Controls application stores Control Procedures linked to risks that were identified by ISMS stakeholders in the Risk Management Framework section of the ISMS application. Each control that corresponds to the identified risk is copied into the ISMS Controls application, along with key data from Control Procedures (Procedure Name, Type, Compliance, Testing Properties, etc). This data represents a snapshot of the controls at a point in time and is not affected by updates to the corresponding Control Procedures record. A cross-reference to the related Control Procedures and ISMS Risk is also included on layout.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

The Business Processes application captures the base data for a given process. A process may be assigned to a particular business unit or shared across multiple business units. A business process may also be referenced to one or multiple products or services. The application enables you to track the business processes personnel, criticality, recovery time objective (RTO) and ITIL category, and associate it with other aspects of the enterprise infrastructure.

Note: The Business Processes application is included in the Enterprise Catalog package.

The Risks application serves as the corporate controlled instantiation of risks used by the entire organization. It allows users to capture data for an instance of a risk from any given risk statement. Risks are associated to processes, objectives, applications, facilities, key risk indicators, financial losses, and controls. Quantitative risks serve as an aggregation point for underlying Risk Events and are separately assigned to quantitative hierarchies for aggregation.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

Reviews the controls of a given scope to detect any potential issues. Documents the issues and action plan and monitors the issues until they are resolved.

Documents ISMS scopes, their context, and the related policies.

Reviews dashboard that displays relevant information, such as the SoA records and compliance scorecard.

Assigned to people who respond to assessments. People assigned to this role are also responsible for implementation of the action plans.

R

RU

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

R

This feed runs the ISMS Relationship through Business Processes report in the ISMS application to build down all the information assets, applications, devices, and facilities associated with the identified business process or processes. The feed then links those collected entities to the same ISMS record.

This feed runs the ISMS Relationship through Facilities report in the ISMS application to build down all the business processes, information assets, applications, and devices associated with the identified facility or facilities. The feed then links those collected entities to the same ISMS record.

This feed runs the ISMS Relationship through Information Assets report in the ISMS application to build down all the business processes, applications, devices, and facilities associated with the identified information asset or assets. The feed then links those collected entities to the same ISMS record.

This feed runs the Populate ISMS Risks and ISMS Controls report and creates ISMS Risks for each identified Risks record. For each identified Risks record, an ISMS control record is created for all linked control procedures.