As a Christmas gift, my dear friend and colleague Gabriele presented the EriZone ISMS tool, a specifically customized and configured EriZone to support the documentation of a company’s Information Security Management System based on ISO/IEC 27001. Follow this link to read his post first: https://www.neteye-blog.com/2019/12/use-erizone-to-maintain-and-improve-an-isms-based-on-iso-27001/.
In this post I will give more technical details about the tool, which we will also be using for ISO 27001 documentation here at Würth Phoenix. For deeper insights, implementation costs, and to evaluate the deployment on a running EriZone instance versus a standalone one, you can contact either one of us or our sales team at any time.
An ISMS can be divided into three parts:
The EriZone ISMS mainly covers the first two parts, while the third part can be covered by any available Service Desk system and the NetEye suite.
We decided to use configuration items (CI) in the EriZone CMDB to store the (currently 114) Controls and Control Objectives that build up the SoA. You can see an overview of their deployment state and can store additional notes, analysis results and links to external documentation directly in the CI.
The CMDB is used also to store a list of potential and identified security vulnerabilities.
Both controls and vulnerabilities can be imported and exported via CSV files directly into the graphical user interface, with all changes versioned.
Threat analysis and Risk assessment is carried out by creating a ticket for every threat identified. This ticket needs to be linked to the relevant Controls and Vulnerabilities. Following the analysis process, a risk assessment can be performed for each ticket using the risk analysis module. Here, the impact of financial, reputational, infrastructure and other risks is evaluated, and the average risk calculated based on the threat event likelihood is stored in the ticket. The risk categories and the impact-likelihood matrix can be customized in the admin interface.
Next, risk treatment activities (e.g. risk mitigation, acceptance or sharing) can be recorded as internal notes in the ticket. Once the assessment is concluded, the implementation status of the linked SoA controls can be re-evaluated.
Risk assessment with tickets and linked configuration items has various benefits. You will be able to:
The predefined service catalogue for the EriZone ISMS also includes a categorization of security-relevant events, the ability to schedule recurrent maintenance and monitoring activities, the documentation of proactive actions, a change management process, and tickets to record and respond to internal and external audit requests. Thus you will be able to gather all ISMS documentation and correspondence in a single place.
Finally, analysis results also need to be presented in an appealing way: the tool includes a Grafana dashboard that shows Control coverage, average risk levels by Control group and identified risks, with links to tickets and CIs in the EriZone ISMS.