ISMS ISO27001

Supported activities

The SeCube GRC application provides comprehensive support for the creation and continuous maintenance of an organization’s Information Security Management System (ISMS).

Supported ISO27001 activities:

• Asset item inventory (Inventory)
• Business impact analysis (Governance)
• BSR classification of resources (Governance)
• Information security risk analysis and management (Risk)
• Internal audit support and ISO applicability assessment (Compliance)
• Management of the regulatory and control environment (Compliance)
• Business continuity planning and management (BCM)

SeCube’s modular structure also supports partial modular use based on requirements.

Asset item inventory

The Inventory supports the recording of business processes, managed data groups, IT systems, their structure, and their operating and dependency relations. The record model can even be customized at the field level. Inventory meets the asset item requirements of ISO27001.

Business Impact Analysis

In the Governance module, the designated responsible users can carry out Availability, Confidentiality, and Integrity based business impact analyses on this operating model with the involvement of business responsible persons. Potential damage impacts due to business process, system or data asset failures can be assessed based on material and immaterial assessment standards for the organization. The aspect of damage effects (material damages, operating damages, damages to goodwill, legal consequences, personal injury, etc.) and their textual interpretation can be fully tailored to the organization and its environment. Public administration (Information Security Act), market, and GDPR-specific damages table templates are also available. 

The business impact analysis results are inherited along the lines of Inventory dependency relations, and they can be sorted into lists and are used for numerous other functions:

• Resource classification
• Identification of the vulnerability of certain asset elements, with a display of time
• Finding faults with the biggest impacts
• Consequences of simulated events
• Risk analysis effect data
• BCM recovery time objectives (RTO, MTPD)

The impact value of all your assets can be classified on the basis of this analysis. Resources can be classified according to customizable Confidentiality – Integrity – Availability security levels. Classification may be manual or based on parameterizable rules calculated on the basis of BIA results.

Internal audit and Compliance management

The Compliance module supports the keeping of control compliance with the requirements of the ISO2001 standard, including applicability statement reporting, and can also be used to structure the regulation and requirement system for the company’s own Information Security Management System as well as internal audit assessments. Internal audit packages with any scopes and periods can be launched for the company’s own regulatory system. This implements and tracks the internal audit activities required by the ISO standard. Action plans can be prepared for the deficiencies identified by internal audits, and their implementation can be monitored. The reports available in the software can be used to present internal audit and compliance activities in an auditable manner, for the purposes of ISO audits.

The Compliance module can be used to run other compliance and audit analyses (e.g. ISO9001) with integrated deficiency and compliance management.

Risk assessment and management

The RISK module can be used to keep records of information security risk analyses and the steps taken for their management. 

The risk analysis connects the vulnerabilities and protective measures of the data assets with the threats. If they were to occur, cause and effect simulations are available to analyze the consequences and the resulting business damages. Risks can be assessed and continuous risk management activities can be conducted.

The fundamental risk analysis methodological parameters and risk calculation methods can be widely customized in the software, providing an opportunity to take the organization’s attributes and the requirements of certain parent companies or legislation into account. The interpretation of effects and damages can be fully tailored to an organization and its environment.

The methodological parameters and the freely expansible lists (threats, vulnerabilities, protective measures) in the risk analysis module are based on information security recommendations (NIST), standards (ISO), and legislation (Information Security Act), supplemented with Kürt’s experience and feedback. The applied risk analysis methodology and terminologies are compliant with the specifications of the ISO/IEC 27005 standard. Risk analysis cornerstones:

• asset item
• threat
• vulnerability
• security measure
• frequency
• consequence
• business impact
• risk
• risk management
• residual risk

Various analysis reports can be used to evaluate prioritized risks identified in the course of the risk analysis, allowing the making of risk management decisions. Detailed measures can be planned for the risks. The implementation of task management functions assists in risk management measures with the use of responsible persons, statuses, email notifications, and reports that support even time comparisons (status as at the analysis, current date status, future planned status). The aim of risk management and reporting functions is the continuous management of the organization’s risk-proportionate protection. In addition to numerous other reports, a comprehensive Risk Analysis Report (docx) on the current results and status of the risk analysis and the applied methodology can be generated for use in ISO audits.

The Risk module can be used to run more than one and more than one type of risk analysis (e.g. business, physical, human, data protection, critical infrastructure, etc.) concurrently, the results of which can be managed in a uniform approach in the interest of implementing and supporting integrated comprehensive enterprise risk management (ERM).

Business continuity planning and management

The BCM module supports an organization’s IT, technology, information security, and business continuity planning and management activities in an integrated manner. The BCM module is set to support the full life-cycle of business continuity management in a uniform system, taking into account the ISO 22301 standard:

• Modelling operations
• Risk analysis and business impact analysis
• Defining restoration target times and comparing those with our plans
• The preparation of BCP and DRP detailed plans 
• Planning the preparation tasks during business-as-usual periods and checking their implementation
• Maintaining and reviewing plans
• Testing plans 
• Emergency application and simulations 

The end products of BCM planning are the detailed BCP or DRP action plans, prepared by taking time objectives into account. The plans include the completed emergency actions categorized into scenarios and the preparatory actions necessary to ensure the functioning of the plans. BC and DR plans can be exported into text format (docx).

Tests can be made for the created plans; the testing activity can be planned and managed and a test report can be generated (docx).

The company’s entire BCM activity can be presented to external auditors with the following supporting reports:

• Detailed BCP and DRP plans that can even be exported into MS Word documents
• Management of preparation actions during business-as-usual periods
• Testing protocols and testing reports
• Recovery time objective reports