The auditor's interest | Menus | How to use |
Objectives of ISMS | Projects -> New project | To define and track ISMS goals, click on Projects and create a new project of the type "Compliance Assessment" with, for example, the following data:
After the project has been created, enter goals on the rider Goals. Enter metrics on the metric rider. When entering a new metric (by selecting from the knowledge base/cipher), choose which target it refers to and what are the target values for green, yellow, and red traffic lights. After that, on the Project screen, click on the "Start project" button, and then "Prepare data".
|
Tracking the objectives of the previous period | Projects -> Data Metrics | Click on the Projects -> Data Metrics menu, filter the desired project (e.g. Goals 2022), and enter the metric values in the past period. Automatically, the metric lines will be colored in traffic light colors depending on the target values.
|
Security awareness and safety education | Projects
Education (NEW) | The "manager" roll clicks on the Projects menu and creates a new project like "Education", with a start and end date and a description of the education. After that, he opens this project and adds education contributions (e.g. PowerPoint presentations, PDF documents, video materials, etc.). It then selects the users who should listen to the education by clicking on the circles next to the user's name and finally clicking on the "Add users to education" button. After that, it clicks on the button "Send an education notification" so that users receive an e-mail on the education link. By clicking on the link in the e-mail, users will be on the Education menu where they will be shown their education. By clicking on the education line, the user can download and view the education and click on the "Finish Education" button. For the purpose of presentation to auditors, it is possible to draw a whole list of users who have attended education on the Education menu.
|
Analysis of compliance with the requirements of the standard or Internal audit of the ISMS | Projects
Controls -> Audit Controls
Report -> Compliance Status - Summary
Report -> Audit Report | Internal audit or "self-assessment" is initiated by creating a new project of the type "Compliance Assessment" on the Projects menu with, for example, the following data:
In the event that only part of the standard in the rider "Selected chapters" is revised, select only the chapters to be revised. Then click on the "Start project" button. This creates a "checklist" of controls that need to be evaluated. This is done by clicking on the Controls menu -> Revisions of Controls. First, the list is filtered by project and then each item is revised to specify:
If at least one revision of the controls has already been carried out, it is possible to click on the "Copy previous status" button (after the Edit button). After the data of all items is filled in, it is possible to create two reports (on the Reports menu):
For correct data, select the filter "Standard" (and "Project" in the Audit Report).
|
Management of information assets (register of information assets) | Entities | Clicking on the Entities menu provides a list of ISMS (Information Assets) entities. For audit purposes, this registry needs to be updated. If the data is defined by the owner or guardian, users who log in with the role "Users" will see only their data and can update it with new values. Ciso can update all entities.
|
Risk assessment and monitoring of a risk treatment plan | Projects
Entities
Risks -> Risk Assessments
Risks -> Control Implementation Plan | Regular annual risk assessments are carried out through projects. By clicking on the Projects menu and clicking on "New Project", a project of the type "Risk Assessment" is created. After that, entities (information assets) are inserted into this project via the rider at the bottom of the project screen. It is possible to insert entity by entity or click on the Entities menu and add multiple entities at once via multiple selections (select all entities and click Actions -> Add Entities to Project).
After that, the "Auto" button is clicked on the screen for this project. Risk creation" that will create risks according to threat mapping to knowledge base entity types.
To assess risks, click on the Risks menu -> Risk Assessments, filter the list by project, and determine the probability and impact for each risk item and then the method of risk processing.
For all those risks in which the method of risk treatment is "Reduce" in the rider, select the activities of the risk treatment plan for that risk. Plan items are selected (if they have already been entered before or new ones are created by clicking Add after the option to select the plan item).
After all the items of the risk treatment plan have been created for all the risks that need to be reduced, they can be seen in one place by clicking on the Risks menu -> Control Implementation Plan.
Note: If each risk caregiver evaluates their own risks, when they log in to the application on the Risks menu -> Risk Assessments will only see their own risks.
Note 2: If a risk assessment has already been carried out in previous years, an easier way to repeat the risk assessment is to click on the Projects menu and on the three dots (...) next to the previous risk assessment project and choose the option: Create as a new project. This will create a duplicate risk assessment and you only need to add new or delete the previous entities, evaluate them, and update the existing ones if necessary.
|
Risk assessment from external suppliers | Risks -> Risk Assessments | External supplier risk assessment or outsourcing risk assessment is done in the same way as for all types of entities, only third-party entities should be included in the risk assessment project. See all the instructions for the previous item.
|
Measuring the effectiveness of the ISMS | Reports -> Compliance Status - Summarized
Projects -> Data Metrics | If it is necessary to prove the method of measuring the effectiveness of the ISMS, in AlterRisk it can be done in two ways:
Qualitatively – through the implementation of compliance assessment projects (internal audits) – see the instructions for the Conformity Analysis with the requirements of the standard or Internal audit of the ISMS
Quantitative – by entering the values of individual metrics – see Instructions for ISMS Goals and ISMS Objective Tracking
|
Non-compliance records | Risks -> Findings | All negative/bad things that happen in the information system can be recorded in the list that is reached by clicking on the Risks menu -> Findings. Some of the types of negative things are non-compliance, audit findings, vulnerabilities, incidents. They can be added through the menu already mentioned above or through the implementation of risk assessment projects and compliance assessments:
|
Incident records | Risks -> Findings | The same list is used for nonconformities. By clicking on the Risks menu -> Findings, it is possible to enter an item under the type "Incident" and track further resolution of the incident.
|
BIA (Business Impact Analysis) | Entities
Entities -> Processes | Support for BIA (business impact analysis) through the AlterRisk tool is carried out in such a way that all entities identified in the scope of the ISMS are first entered under the Entities menu.
Then click on the Entities -> Processes menu, select process by process, and use it on riders:
enter dependencies of the selected process on other entity types. For each of them, it is possible to enter business parameters RTO (Eng. Recovery Time Objective), and for services and RPO (eng. Recovery Point Objective.
After all the links are made, the BIA form for each process can be obtained by clicking on the buttons "PDF report" or "Word report".
|
Recovery plans | Entities -> Services
| A recovery plan can be created for each entity (information asset) of type "Service". It is automatically printed in Word or PDF format by clicking the "DR Plan" button under the service item selected in the list under the Entities -> Services menu.
In order for the plan to be filled with data, it is necessary to fill in the data for the selected service and create interdependencies of the service on other types of entities (e.g. used hardware, software, connection to other services, etc.). These links are entered via the rider, which is visible on the screen for each service.
|
Check access rights | Projects
Entities -> Services | AlterRisk can also be used for regular service access checking activities. For these jobs, it is necessary to first create a project of the type "Service Access Verification". After the project has been created, insert on the rider "Entities" those services for which you want to start an access check and finally start the project by clicking on the "Start project" button. This creates items in the tool that are visible on the data screen of each service that is reached by clicking the Entities -> Services menu. Each owner or guardian of the service can pass their services (for which he is the owner or guardian) and enter information about the conducted verification on the rider of the "Access Check" when signing up for AlterRisk. The project administrator can see all items by clicking on Projects, selecting the desired access rights check project, and clicking on the "Access Check" rider.
|
SoA (Statement of Applicability) | Reports -> SOA report | The SOA report can be obtained automatically by clicking on the Reports menu -> SOA report and selecting the standard filter to "ISO 27002". SOA report items will be created, which then need to be extracted in the form of Excel, Word, or PDF by clicking on The Report (then selecting the format).
As a prerequisite for the occupancy of the report, it is necessary to fill in the fields:
under the Knowledge Base menu -> Regulatory Standards -> Chapters.
|
