28. 12. 2019 Mirko Morandini Log-SIEM, Service Management

EriZone ISMS: The Tool for ISO 27001 Documentation

As a Christmas gift, my dear friend and colleague Gabriele presented the EriZone ISMS tool, a specifically customized and configured EriZone to support the documentation of a company’s Information Security Management System based on ISO/IEC 27001. Follow this link to read his post first: https://www.neteye-blog.com/2019/12/use-erizone-to-maintain-and-improve-an-isms-based-on-iso-27001/.

In this post I will give more technical details about the tool, which we will also be using for ISO 27001 documentation here at Würth Phoenix. For deeper insights, implementation costs, and to evaluate the deployment on a running EriZone instance versus a standalone one, you can contact either one of us or our sales team at any time.

An ISMS can be divided into three parts:

  • Documentation of the ISMS
    • Description of the scope and the ISMS processes
    • Statement of Applicability (SoA) and the 114 security controls
    • Vulnerabilities and threats
    • Risk analysis and risk treatment
  • Management and documentation of security-relevant events
    • Assessment of security-relevant events and incidents by the security officers
    • Assessment of security-relevant Changes in infrastructure and processes
  • Processes and tools for describing the infrastructure and detecting security-relevant events
    • Asset management
    • Event and incident management by the IT/Service desk
    • Monitoring, log management, and SIEM tools
    • Documentation of the IT processes in the company, EriZone ISMS

The EriZone ISMS mainly covers the first two parts, while the third part can be covered by any available Service Desk system and the NetEye suite.

EriZone ISMS System Details

We decided to use configuration items (CI) in the EriZone CMDB to store the (currently 114) Controls and Control Objectives that build up the SoA. You can see an overview of their deployment state and can store additional notes, analysis results and links to external documentation directly in the CI.

The CMDB is used also to store a list of potential and identified security vulnerabilities.

Both controls and vulnerabilities can be imported and exported via CSV files directly into the graphical user interface, with all changes versioned.

Threat Analysis and Risk Assessment

Threat analysis and Risk assessment is carried out by creating a ticket for every threat identified. This ticket needs to be linked to the relevant Controls and Vulnerabilities. Following the analysis process, a risk assessment can be performed for each ticket using the risk analysis module. Here, the impact of financial, reputational, infrastructure and other risks is evaluated, and the average risk calculated based on the threat event likelihood is stored in the ticket. The risk categories and the impact-likelihood matrix can be customized in the admin interface.

Next, risk treatment activities (e.g. risk mitigation, acceptance or sharing) can be recorded as internal notes in the ticket. Once the assessment is concluded, the implementation status of the linked SoA controls can be re-evaluated.

Risk assessment with tickets and linked configuration items has various benefits. You will be able to:

  • easily retrieve all risks that address a SoA Control statement or a vulnerability, and vice versa
  • track all changes in the history
  • define responsibilities for the assessments to be carried out
  • track all email and internal notes, save attachments, and define links to external resources
  • link security-relevant events and incidents (also handled as tickets) to threats and vulnerabilities, and lead the security officer to re-evaluate risks and SoA Controls coverage

The predefined service catalogue for the EriZone ISMS also includes a categorization of security-relevant events, the ability to schedule recurrent maintenance and monitoring activities, the documentation of proactive actions, a change management process, and tickets to record and respond to internal and external audit requests. Thus you will be able to gather all ISMS documentation and correspondence in a single place.

Finally, analysis results also need to be presented in an appealing way: the tool includes a Grafana dashboard that shows Control coverage, average risk levels by Control group and identified risks, with links to tickets and CIs in the EriZone ISMS.

Mirko Morandini

Mirko Morandini

Mirko Morandini, PhD, is part of the EriZone team since 2015. As a consultant, he guided the implementation of EriZone in various projects in the DACH area and in Italy.

Author

Mirko Morandini

Mirko Morandini, PhD, is part of the EriZone team since 2015. As a consultant, he guided the implementation of EriZone in various projects in the DACH area and in Italy.

Latest posts by Mirko Morandini

01. 07. 2024 Asset Management, Unified Monitoring
It’s Time to Move from OCS to GLPI Agents + Exclusive GLPI News for You!
14. 12. 2023 Service Management
EriZone Servicedesk: Upgrade to RockyLinux9/RHEL9 (CentOS7 EOL in June 2024)!
06. 12. 2023 Asset Management, Service Management
Würth Phoenix is a GLPI Gold Partner! Exclusive News from GLPI Partner Day
04. 01. 2023 Asset Management, Unified Monitoring
Using GLPI with the Metabase Open Source BI Tool for Visualizing Rich Reports and Dashboards
02. 11. 2022 ITOA, NetEye
Creating Compelling Stacked Bar Charts with Grafana
See All

Related Content

Tags: , , ,

14. 12. 2023 Service Management

EriZone Servicedesk: Upgrade to RockyLinux9/RHEL9 (CentOS7 EOL in June 2024)!

Dear EriZone customers! Our legacy servicedesk system EriZone currently runs on CentOS7 or Red Hat Enterprise Linux (RHEL) 7. These operating systems will not get any security fixes after June 2024. For anyone planning on keeping EriZone running beyond this Read More
23. 05. 2022 Cloud, Service Management

Office365/Google Mail Users: Migrate Your EriZone/OTRS Mail Accounts to OAuth2 Authentication NOW!

Both Microsoft and Google will terminate within summer/autumn 2022 the possibility of accessing POP and IMAP mailboxes using usernames and passwords! In the course of the year 2022 Microsoft and Google will terminate support for Basic Auth (the authentication with Read More
06. 12. 2021 Service Management

JIRA: Importing Issues from OTRS/EriZone and Other Ticketing Systems

More and more companies are adopting the now “quasi-standard” JIRA Software issue tracking and software project management tool, and the emerging ticketing tool JIRA Service Management. For most of them, when transitioning from their previous system, it is essential to Read More
11. 01. 2021 Downloads / Release Notes, Service Management

EriZone 5.9 Release Notes

Welcome to the latest version of our Service Management solution EriZone version 5.9. Product: EriZoneRelease Number: 5.9Release Date: January 7, 2021Release Type: MinorPrevious Release: 5.8 These release notes for EriZone 5.9 describe changes and improvements, and provide information on how to upgrade. Read More
17. 12. 2020 Cloud, Unified Monitoring

EriZone/OTRS: Single Sign On with (Multiple) AzureAD Using Shibboleth

More and more enterprises rely on Microsoft Azure Active Directory as a company-wide identity provider for Office365, Teams, Sharepoint and other Microsoft and various non-Microsoft services. It provides Single Sign-On (SSO), so when opening any of these applications, if an Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive