27k1 ISMS Product Information
The 27k1 ISMS has been designed and developed in accordance with the ISO 27001 standard by Information Security professionals and has evolved through practical feedback received from ISO 27001 practitioners.
The 27k1 ISMS allows any company to identify all Information Security assets, assess their values and quantify any risks, threats and vulnerabilities to which these assets may be exposed.
Getting started with 27k1 ISMS
The Getting Started section enables the system implementer to establish their company’s information security criteria and risk appetite. This means submitting data to the system that covers all the company’s information security assets, such as buildings and personnel, as well as setting the business and security objectives and system scope.
This groundwork lays the foundation for how the 27k1 system allows the user to assess risks, threats and vulnerabilities to which information security assets are exposed. The process is logical, intuitive and can be configured at every stage.
The example screenshot shows an Information Classification template which can be configured in accordance with your ISMS policies.
Information Classification is one of several ISMS policy settings, along with Asset Valuations, Likelihood Table, Impact Table and others that establish how the business will manage, respond to and treat risks and threats to its Information Security. The 27k1 system enables the business to set these parameters in order to show the Auditor and other Governance personnel that it has considered all eventualities.
The Gap Manager module is designed for Implementers to assess and allocate each security control efficiently and effectively.
The results of the Gap Analysis are reported and shown against the selected controls during the risk treatment process, which is managed from the Risk Manager module.
As standard, the 27k1 ISMS system provides a complete set of Controls and Clauses including the Annex A Controls. The Gap Analysis Reports also include Actions, Progress and Summary Reports so that the business can review its efforts to reduce risk to its Information Security.
All Information Security assets are managed within the Asset Manager module. Each asset type has a particular set of fields within the system, allowing it to be managed according to the ISO 27001 standard. For companies that do not have an asset register, the 27k1 system fulfils this function. Moreover, the same applies to companies that do not have an HR Register, since Personnel are also regarded as assets within the ISO 27001 standard.
For similar asset types, such as Laptops with the same software installations, the system allows bulk imports into a “quarantine zone” for approval before uploading. This process also applies to Personnel, Hardware, Software and Outsourced Services in order to prevent the repeat management and risk assessment of similar asset types.
The Document Manager
All Information Security documents are listed and tracked in the Document Manager. The 27k1 system provides by default, document titles which are acceptable for most ISMS's, whilst additional documents can be added as required.
The 27k1 ISMS does not deploy an integrated document management system. Instead, the Document Manager system has been designed to “point” to the actual document using a URL that is inserted into an associated field. In this way, a company can make use of its present document management system, such as Sharepoint, Egnyte, Drop Box, Office 365 or other solution, saving cost and time, whilst enabling document revision from personnel that have access permission.
The Control Manager
Manage all the Annex A Controls and track the status of each control in readiness for automatically producing a Statement of Applicability. In the Control Manager you also can assign suggested documents to each Control and manage the Actions that you have assigned to the associated Control.
The Statement of Applicability can be created within the Control Manager at any time, then issued when all the Controls are in place. This means that you can keep track of the Statement of Applicability and directly associate a specific SoA with the ISO 27001 Certification Scope.
The Risk Manager has been developed to provide a fully comprehensive and highly flexible asset and business scenario valuation, assessment and treatment solution.
In addition to the risk and vulnerability assessment of assets, the system allows you to consider business risk scenarios as well. In the Getting Started module, you can set up the system to suggest multiple threats to assets and their vulnerabilities. Alternatively, you can choose to select asset vulnerabilities and any threats to which they may be exposed. The system has been developed to suggest numerous examples of threats and vulnerabilities, allowing you to choose those that may apply to an Information Security asset or allow you to submit your own. Either way, this consistent approach is then used to apply a scored assessment and treatment plan for the asset.
Managing and tracking risks
The Risk Treatment process leads to Risk Treatment projects that require actions according to the level of risk. These may include Accept, Treat, Transfer or Avoid.
Once the risk has been assessed and managed, the system allows further management and treatment of any residual risks before accepting and assigning responsibility for these actions. In this way, the 27k1 ISMS provides a total audit trail and full reporting for the tracking, management and mitigation of Information Security risks.
Audits and security breaches may identify nonconformances, where corrective actions are required. The Conformance Manager allows the user to identify nonconformances, treat them with corrective actions and then track the corrective action process until conformance is achieved.
The system provides detailed Conformance Reports that highlight severity, root cause, preventive measures to be applied, start, progress and closure dates as well as identifying those responsible for each action. In this way, the 27k1 system reports on progress towards ISO 27001 compliance.
The 27k1 ISMS delivers a full set of automatically generated reports, including the Statement of Applicability, that will enable the business to achieve compliance to the ISO 27001 standard.
You can use our support service to request tailored reports that may be required for your business.
As the threat landscape changes and as our system resellers request feature improvements, we continuously develop and release upgrades to the 27k1 ISMS which are identified in the release notes.
All system developments are provided Free of Charge to system users.
One feature noted here is the ability to offer suggested ISO 27001 controls based on the criteria selected for each type of asset.