IT Audits and Risk Management
PCI DSS Mitigating Controls for Risk Management
The latest revision of the Information Security Standard, ISO/IEC 27001:2013 has been available for over 6 months now. This revision of the 2005 version requires a certification to the new standard, rather than a re-certification. Although the transition period is two years, many organizations have begun the process of the transition to the new standard and the implementation of the revised Security Controls of Annex A (ISO/IEC 27002:2013). The transition appears easy on the surface, but overlooking the importance of doing it right the first time could potentially set your organization back and prevent the certification from the auditor.
An excellent solution to properly managing the transition is Risk Management Studio, the dynamic risk management software designed to simplify the ISMS implementation process aligned with the ISO/IEC 27001 Standard.
Let‘s take a look at a few of the key transitional steps and procedures required for a proper transition and how RM Studio makes the process easier.
- An important change in the revision is to define the interested parties, which are your stakeholders and their requirements. A stakeholder is any person and company that can influence your information security or can be influenced by it. RM Studio make‘s this step very easy by allowing you to import your contacts or list of stakeholders from the previous standard into RM Studio and assign contact types to organize the stakeholders into appropriate groupings.
- The risk assessment process changed to require you to identify risk owners for each risk and the methodology to identify risks also changed. The requirement to identify the assets, threats and vulnerabilities in order to determine the risks associated is no longer this specific. However, if you have been effectively using this method to identify and mitigate risks threatening the organization, it may be wise to continue to use this proven method. Another modification to the risk assessment process requirements is to include all the outsourced processes and determine the controls necessary to manage. RM Studio has a simple, yet complete risk assessment module that includes a built in threat library that is linked to the asset category library. Each threat is also linked to the appropriate mitigating security control, thus automating the risk identification and control mitigation process.
- The Statement of Applicability must include the status of each control, implemented or not implemented, and a justification for each control status. Due to the rearrangement of some of the controls in Annex A, this is an important step to execute exactly. The SoA report included in RM Studio provides you with the full details of each control status and justification, as well as the confidence that the controls are aligned properly for you.
- The risk treatment has a few new additions, specifically the risk owners are required to review and approve the risk treatment plan and accept the residual information security risks (6.1.3). RM Studio makes this step simple by allowing you to export the risk treatment report or portions of the report to Excel, Word or PDF, allowing you to send the documents to the risk owners for approval.
- The measurement and reporting aspect of the revised standard has become stricter. The Information Security objectives and planning to achieve them need to be measurable (6.2.b) and defined how the results will be evaluated (6.2.j). The performance evaluations must include what needs to be monitored and measured; the methods for monitoring, measuring, analysis, and evaluation; who and when the monitoring and measuring will be performed; when and who will analyze and evaluate the results. The organization needs to retain this documentation as evidence of the process. RM Studio has organized the risk assessment and treatment module to allow you to determine responsible parties and time frames required for deadlines. The various reporting options, as well as custom reporting available, makes it very easy to record documentation of the process and communicate the responsibilities of the ISMS performance to the team.
Risk Management Studio application is a dynamic solution combining risk management with business continuity planning. You can request a live online demo that takes provides you a detailed look at the system. RM Studio is successfully assisting organizations around the world make the transition to the ISO/IEC 27001:2013 Standard and we pride ourselves on customer service and a quality product that simply works for you.