SMART INFORMATION SECURITY MANAGEMENT SYSTEM COMPLIANCE TOOL

Fulfilling the requirements of ISO/IEC 27001:2013 Information technology—Security techniques—Information security management systems—Requirements Standard of which‘s usage is growing up worldwide day by day, requires information and experience on it. On the other hand getting consultancy services usually comes with high costs. The reason for the complexitiy of processes you need consultancy or expert personel to work with.

Cymsoft’s Smart Information Security Management System so called SISMS is a tangible indicator of Cymsoft’s experience on establishing ISO/IEC 27001 Information Security Management System. SISMS is a R&D project supported by The Scientific and Technological Research Council of Turkey (TUBITAK). SISMS is a software which is developed to make it easier in accomplishing the whole processes of ISO/IEC 27001 using artificial intelligence.

SISMS fulfills all requirements in ISO/IEC 27001:2013 and provides compliance with the Standard.

Through Information Security Management process, the software package encapsulates following modules;

  • Scope,
  • Information Security Policy,
  • Inventory of Assets,
  • Risk Evaluation Methodology,
  • Risk Analysis,
  • Risk Management,
  • Gap Analysis,
  • Mandatory Procedures,
  • Document Management,
  • Protective Controls,
  • Compliance Monitor,
  • Corrective Maintenance.
  • ISMS tool is the first and unique Turkish “Information Security Management System” software which is tested, accredited and published between RA/RM tools by ENISA-European Network and Information Security Agency.

    SISMS MODULES

    GAP Analysis

    A test application which defines how to apply controls to determine organisation’s compliance with ISO/IEC 27001:2013 Standard and make complex rules of ISO/IEC 27002:2013 Standard to be understood easily, Management of Controls in ISO/IEC 27001:2013 forming the infrastructure of test application and management of rules in ISO/IEC 27002:2013 corresponding the application of controls, Updatable rule base according to ISO/IEC 27001:2013 and ISO/IEC 27002(2013) Standards’ requirements, Documentation of conformities and unconformities resulting test application, Preparing a substructure towards automated documentation of mandatory procedures of ISO/IEC 27001:2013 Standard, resulting test application, Providing a Maturity Model that shows compliance of the organisation visually.

    Inventory of Assets

    Tracing software and hardware assets on Local Area Network and inserting them into inventory database automatically, Importing existing asset inventory in exel form appropriate to software in case it’s not desirable to search the information assets on Local Area Network, Inserting information assets which are not connected on Local Area Network into inventory database manually using asset entry interface, Assigning assets to more than one business processes or correlating business processes with more than one asset, Defining asset groups for collecting the assets having same qualification under a unique asset group and managing them all together, An interface of which asset category, asset group, asset location, asset owner and asset explanation can be monitored and asset can be corolated to business processes, Defining confidentality, integrity and accessibility values of assets one by one or under an asset group as maximum, sum or multiplication (optional) values. Keeping track of asset owners on unit base and listing assets on category or process base. Detailed documentation of asset inventorty.

    Risk Management

    Automated assignment of valnurabilities and related threats of assets, according to their classification, without user intervention by the system, Defining Protective Controls against to valnurabilities and threats, Five optional qualitative and quantitative risk evaluation methodologies you can choose dynamically:

    • ISO/IEC 27005 Risk Evaluation Methodology-1,
    • ISO/IEC 27005 Risk Evaluation Methodology-2,
    • Probabilistic Risk Evaluation Methodology,
    • Octave Allegro Evaluation Methodology,
    • Quantitative Risk Evaluation Methodology.

    Risk analysis application with different risk evaluation mehods taking into account the values; Asset Value-AV, Exposure Factor-EF, Single Loss Expectancy-SLE, Annualized Rate of Occurence-ARO, Annualized Loss Expectancy- ALE, Ease of performing risk analysis with optional risk evaluation methodologies, Documentation of Risk Evaluation Report in exel format appropriate to ISO/IEC 27001 Standard, Graphical presentation of risk positions of organization’s information assets according to their classification “Risk Analysis Table”.

    Protective Controls

    Improving organisation’s ISMS in course of time; List of conformities and unconformities after Gap Analysis, Defining controls from ISO/IEC 27001:2013 and best practicies from ISO/IEC 27002:2013 to resolve unconformities.

    Document Management

    Document importing, exporting and monitoring according to user authority, Versioning and keeping documents by date and publishing the current version on web page, Producing the mandatory documents listed below for ISO/IEC 27001 certification automatically and allowing to update them only by authorizied (Administrator) user, Publishing the prepared documents, presenting all documents to users which will be able to access on the organisation’s local portal,

    • Presenting all required templates,
    • Documents that can be produced by the software,
    • Information Security Policy,
    • ISMS Scope
    • Controls and procedures supporting ISMS,
    • Risk Evaluation Procedure,
    • Organisation of Information Security Procedure,
    • Human Resource Security Procedure,
    • Asset Management Procedure,
    • Access Control Procedure,
    • KCryptography Procedure,
    • Physical and Environmental Security Procedure,
    • Operations Security Procedure,
    • Communications Security Procedure,
    • System Acquisition, Development and Maintenance Procedure,
    • Supplier Relationships Procedure,
    • Information Security Incident Management Procedure,
    • Information Security Aspects of Business Continuity Management Procedure,
    • Compliance Procedure,
    • Business Continuity Plan,
    • Asset Inventory,
    • Risk Analysis Report,
    • Risk Evaluation Report,
    • UStatement of Applicability (SoA),
    • Other required records which are evidence of compliance and effective performance of ISMS,
    • Internal Audit Procedure,
    • Control of Documents and Records Procedure,
    • Corrective Activities Procedure,
    • Internal Audit Questions Lists,
    • Management’s Review Report.

    Compliance Check

    A dashboard checking requirements in documentation with their last versions and presenting compliance level of the organisation. Providing top management to review whole ISMS.

    Internal Audit

    Related with internal audits; Selecting units to be audited, Selecting auditors, Question lists, planning and tracing audit activities.

    Corrective Activities

    Managing Corrective Activities on system, Assigning personel for each activity, monitoring activities, Following deadline for each activity, and closing the activity if compliance provided, Listing all open activities for management’s review report.

    Using SISMS;

    Make it easy to understand and use the abstruse and complex structure of ISO/IEC 27000 Standards family with application of artificial intelligence. Has a feature of cost reducing and Standart/Quality enhancement on establishing ISMS.

    Distinguishing Characteristics of ISMS;

    • Detecting hardware assets on network and recording assets manually,
    • Collecting and evaluating the assets under an asset group (top asset),
    • Calcualting the asset values with three different method,
    • Usage of five different risk evaluation methodologies four of which qualitative (including Octave Allegro) and one quantitative,
    • Automated determination of threats, valnurabilities and risk values of asstes (including asset groups) according to asset categories,
    • Ability of adding own asset categories,
    • Information asset types identified, categorized and updatable thread and valnurability types related with this assets types on system,
    • Automated determination of protective controls against the vulnerabilities towards information assets,
    • Ability of addinig own protective controls and relating them with threats,
    • Prepreation of Inventory of Assets, Risk Evaluation Report and Statement of Applicability (SoA),
    • Ability to perform Gap Analysis,
    • Automated documentation of mandatory documents included in the Standard,
    • Multilanguage and help support,
    • Defining different user roles,
    • Defining different authentication for different types of roles,
    • LDAP integration for user management,
    • Defining organizational title, business sector, company logo, address information, hierarchical organization unit chart, and business processes,
    • Defining correlation between assets, business processes and organizational units,
    • User friendly web based software,
    • Low cost advantage