Managing Your ISMS

The Information Security Management System use case allows you to document information about ISO policies, define the scope of your ISMS, perform a gap analysis to provide visibility into the potential gaps in your compliance to ISO 27001, and perform an audit of your ISMS.

The ISMS use case allows you to do the following:

  • Document ISMS details & assign stakeholders. Provide information in the following fields including ISMS scope, Target ISO 27001 Compliance, Compliance Alignment Goal, and Applicable ISO 27001 Sections. Additionally, describe the direction and key milestones for the ISMS project and assign stakeholders.

  • Document policy framework. Select an existing policy record or create a new policy record. For each policy that you want to document, provide the policy name, description, owner, and stakeholders.

  • Define the scope of your ISMS. Select the Business Process, Facilities, or Information Assets scoping method, click Queued, and click Auto Scope. The data feed associated with the scoping method that you selected populates the devices, applications, business process, facilities, or information assets related to this ISMS record.

  • Complete the ISO 27001 Gap Analysis. Create, re-assign, respond to, and review the Gap Analysis.

  • Document your risk management framework. Use the Risk Management Framework section to identify risks, update your status, and review the last time a risk assessment was performed.

  • Review and complete ISMS Audit records. The ISMS Audit section is populated after both the ISMS Risks & Controls and ISMS Audit data feeds successfully run. An audit record is created for each control procedure that was created by the ISMS Risks & Controls data feed. Click into each individual ISMS audit record to complete the audit and can review each of findings in the Audit tab.

  • Document your statement of applicability. The SOA details organizational controls that have been identified to address risks that were outlined in the Risk Management Framework, states whether the controls have been implemented, and details why those controls were chosen.