28. 12. 2019 Mirko Morandini Log-SIEM, Service Management

EriZone ISMS: The Tool for ISO 27001 Documentation

As a Christmas gift, my dear friend and colleague Gabriele presented the EriZone ISMS tool, a specifically customized and configured EriZone to support the documentation of a company’s Information Security Management System based on ISO/IEC 27001. Follow this link to read his post first: https://www.neteye-blog.com/2019/12/use-erizone-to-maintain-and-improve-an-isms-based-on-iso-27001/.

In this post I will give more technical details about the tool, which we will also be using for ISO 27001 documentation here at Würth Phoenix. For deeper insights, implementation costs, and to evaluate the deployment on a running EriZone instance versus a standalone one, you can contact either one of us or our sales team at any time.

An ISMS can be divided into three parts:

  • Documentation of the ISMS
    • Description of the scope and the ISMS processes
    • Statement of Applicability (SoA) and the 114 security controls
    • Vulnerabilities and threats
    • Risk analysis and risk treatment
  • Management and documentation of security-relevant events
    • Assessment of security-relevant events and incidents by the security officers
    • Assessment of security-relevant Changes in infrastructure and processes
  • Processes and tools for describing the infrastructure and detecting security-relevant events
    • Asset management
    • Event and incident management by the IT/Service desk
    • Monitoring, log management, and SIEM tools
    • Documentation of the IT processes in the company, EriZone ISMS

The EriZone ISMS mainly covers the first two parts, while the third part can be covered by any available Service Desk system and the NetEye suite.

EriZone ISMS System Details

We decided to use configuration items (CI) in the EriZone CMDB to store the (currently 114) Controls and Control Objectives that build up the SoA. You can see an overview of their deployment state and can store additional notes, analysis results and links to external documentation directly in the CI.

The CMDB is used also to store a list of potential and identified security vulnerabilities.

Both controls and vulnerabilities can be imported and exported via CSV files directly into the graphical user interface, with all changes versioned.

Threat Analysis and Risk Assessment

Threat analysis and Risk assessment is carried out by creating a ticket for every threat identified. This ticket needs to be linked to the relevant Controls and Vulnerabilities. Following the analysis process, a risk assessment can be performed for each ticket using the risk analysis module. Here, the impact of financial, reputational, infrastructure and other risks is evaluated, and the average risk calculated based on the threat event likelihood is stored in the ticket. The risk categories and the impact-likelihood matrix can be customized in the admin interface.

Next, risk treatment activities (e.g. risk mitigation, acceptance or sharing) can be recorded as internal notes in the ticket. Once the assessment is concluded, the implementation status of the linked SoA controls can be re-evaluated.

Risk assessment with tickets and linked configuration items has various benefits. You will be able to:

  • easily retrieve all risks that address a SoA Control statement or a vulnerability, and vice versa
  • track all changes in the history
  • define responsibilities for the assessments to be carried out
  • track all email and internal notes, save attachments, and define links to external resources
  • link security-relevant events and incidents (also handled as tickets) to threats and vulnerabilities, and lead the security officer to re-evaluate risks and SoA Controls coverage

The predefined service catalogue for the EriZone ISMS also includes a categorization of security-relevant events, the ability to schedule recurrent maintenance and monitoring activities, the documentation of proactive actions, a change management process, and tickets to record and respond to internal and external audit requests. Thus you will be able to gather all ISMS documentation and correspondence in a single place.

Finally, analysis results also need to be presented in an appealing way: the tool includes a Grafana dashboard that shows Control coverage, average risk levels by Control group and identified risks, with links to tickets and CIs in the EriZone ISMS.

Mirko Morandini

Mirko Morandini

Mirko Morandini, PhD, is part of the EriZone team since 2015. As a consultant, he guided the implementation of EriZone in various projects in the DACH area and in Italy.

Author

Mirko Morandini

Mirko Morandini, PhD, is part of the EriZone team since 2015. As a consultant, he guided the implementation of EriZone in various projects in the DACH area and in Italy.

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive