Using ISMS
The Information Security Management System use case supports the following process.
On this page
ISMS Process Diagram
The following diagram shows the major phases, key tasks, and the users responsible for each task.
Download the source file of the diagram here: Information Security Management System Process Diagram
Document ISMS details & assign stakeholders
User: ISMS Manager
The ISMS manager begins the ISMS process by providing a high-level description of the ISMS scope, identifying the target compliance level of the ISMS, and selecting stakeholders. The stakeholders you select, such as the ISMS user, and Internal Auditor are tied to specific record permissions, which impact the tasks users can complete and the records with which they can interact. Be sure to refer to the CRUD rights chart in the Use Case Design section before assigning users to specific roles.
Document Policy Framework
Users: ISMS Manager, ISMS User
After selecting stakeholders, the ISMS manager identifies any organizational policies that apply to this ISMS record and documents new policies as needed.
Define the scope of your ISMS
User: ISMS Manager
As part of the scope definition phase, the ISMS Manager identifies all elements that are in-scope for their ISMS by selecting a scoping method, which triggers a data feed that populates the ISMS record with the in-scope elements. Users can scope their systems starting from their business processes, facilities, or information assets. After selecting a scoping method, a data feed runs and auto-scopes cross-referenced assets along the following paths.
- Business Processes > Assets > Applications > Devices > Facilities
- Facilities > Devices > Applications > Business Processes > Information Assets
- Information Assets > Business Processes > Applications > Devices > Facilities
Note: In order to view the cross-referenced asset details, the ISMS manager must be assigned to the PM, RM, and EM Admin roles.
Provide Evidence for Control Testing
User: Role may vary depending on the organization
Before completing the Gap Analysis, you may choose to complete an internal review of the controls that are linked to your ISMS record to determine the effectiveness of each control and to provide support for why these controls are used. If applicable, complete this task based on the process your organization has defined.
Complete the ISO 27001 Gap Analysis Questionnaire
User: ISMS User
The ISMS Manager first selects the applicable ISO 27001 sections in the ISMS application, so that only the sections of the questionnaire that are relevant to the organization are displayed. This serves to minimize overhead and ensure correct scoring of the ISO 27001 Gap Analysis questionnaire.
Users must be assigned to the ISMS User group in order to create the ISO 27001 Gap Analysis questionnaire. After the gap analysis is created, the record is enrolled in an advanced workflow. Users complete the applicable sections and submit the questionnaire to the ISMS Manager for review.
The ISMS Manager reviews the questionnaire responses and approves or rejects the gap analysis. If the gap analysis is approved, the record is closed and exits the advanced workflow. If the gap analysis is rejected, the record is sent back to the ISMS User, who must complete and submit the gap analysis again. After the questionnaire is approved, findings are generated for any incorrectly answered questions and linked to the Audit tab of the ISMS record.
Based on the most recently approved questionnaire, the current ISO 27001 compliance level is displayed in the ISMS record. This is a calculated values list driven by the percentage of correctly answered questions.
Prior to submitting the Gap Analysis, users have the option to reassign the questionnaire to another user.
Document Risk Management Framework
User: ISMS Manager
Once the ISMS scope has been determined, users identify risks associated with their business processes, facilities, information assets, or devices, and any additional assets that are in-scope. Based on the risks you select, the ISMS Risks & Controls data feed automatically copies records from the Risks application into the ISMS Risk record and populates the ISMS Risk and ISMS Controls sections of the ISMS record. For each risk, any controls that are tied to the risk are also populated in the ISMS Controls section of the ISMS record.
Review and Complete ISMS Audit records
User: Internal Auditor
To conduct an ISMS audit in Archer, the Internal Auditor reviews and completes each ISMS Audit record generated by the ISMS Audit data feed. This feed creates an individual audit record for each control procedure that was created to address risks identified in the Risk Management Framework section. The internal auditor also reviews any findings generated by the ISO 27001 Gap Analysis, and creates exception requests and remediation plans as necessary.
Create Statement of Applicability
User: ISMS Manager
The ISMS Manager selects applicable ISO 27001 controls from the Authoritative Sources cross-reference. The manager can then link any authoritative sources, risks, control standards, and remediation plans to the Statement of Applicability record. Once all essential information has been accounted for, and the implementation status of each control has been updated, the manager can generate a statement of applicability from the ISMS application using a preconfigured mail merge.