FAQs

#

Requirement

Yes/No

Comment

1

The solution must have the ability to assign information security
classification levels to assets.

Yes

Please see Technical Requirements and FAQs for a detailed walkthrough of this requirement. 

2

The solution must have the ability to allow a user to risk
assess against the 114 controls of ISO 27001:2013.

Yes

As above

3

The solution must have the ability to allow a user to add
custom control requirements for use during security risk assessments. For
example, control requirements from the following Standards: IS18, Australian
Government ISM, NIST, PCI DSS, ASD Essential Eight)

Yes

As above

4

The solution must have the ability to allow users to assign
confidentiality, integrity and availability levels to information assets

Yes

As above

5

The solution must include the ability for a user to record
information security risks within a centralised risk register

Yes

As above

6

The solution must include the ability for a user able to
generate information security risk assessment reports

Yes

As above

7

The solution should have a business
continuity and disaster recovery module that covers the respective areas of
ISO 27001/2

Yes

As above

8

The solution should contain a threat catalogue that can be
used when performing information security risk assessments.

Yes

As above

9

The solution should include the ability for users to create
new threats.

Yes

As above

10

The solution should have the ability for information asset
custodians and owners to endorse and approve the information security
classification of an asset.

Yes 

The ISO Manager Task module allows for the creation of and tracking of tasks. Tasks
for information asset custodians and owners can be created and tracked. This option may be customized and developed further to suit ’s requirements during
implementation to ensure the required workflow approach is implemented.  Approval workflow can be added where required.

11

The solution should include an information security
classification form that can be used by information asset owners and
custodians to determine the security classification of an asset.

Partial

A range of forms and workflows can be provided. 

However, embedding this option within ISO  Manager implementation can be customized and developed during implementation according to a detailed  requirement’s exercise.

12

The solution should enable a user to undertake high-level
(basic) and low-level (detailed) information security risk assessments.

Yes

Risk assessments can be completed, recorded and actioned according to the ISO 27005 Framework

As above

13

The solution should have the ability for users to track the
implementation of the mandatory requirements (sections 4 to 10) of ISO / IEC
27001:2013 and other security standards.

Yes

Users can track implementations against all mapped standards (ISO27001 and more).

14

The solution should have the ability for users to track the
organisations overall implementation and status of the Information Security
Management System (ISMS).

Yes

A range of dashboards and reporting options are available to show progress against the mapped standards.

15

The solution should have the ability for users to record
assets within a single asset register.

Yes

While ISO Manager is not designed to replace a comprehensive CMDB (Such as ServiceNow / Cherwell Asset Manager), it does provide the required Asset Views to satisfy ISO27001 and similar standards.  The Asset Views can also be linked to a
dedicated CMDB (eg ServiceNow) to integrate asset views as required.  

16

The solution should include a cyber supply chain management
module (or the ability to upload file attachments related to security
assessing procurement/contract management/supply management activities).

Background: Cyber supply chain risk management can be undertaken
by identifying the cyber supply chain, understanding cyber supply chain risk,
setting cyber security expectations with suppliers, auditing suppliers for
compliance, and continual monitoring and improvement of cyber supply chain
security practices.

Partial

ISO Manager can offer document upload and approval through DMS and SLA/OLA
management, however, it is not (as yet) designed to be an end-to-end Third Party Risk management solution (like CyberGRX).

This option may be customized and developed during implementation according to detailed  requirement, and it will be offered as optional customization as per ISO 27036 Information security
for supplier relationships

17

The solution should have the ability for users to create an
external third-party supplier information security assurance questionnaire.
This should include the ability for suppliers to respond to questions.

Yes

The solution allows users to customise and send security questionnaires to suppliers.

This option can be further customized and developed during implementation according to detailed  requirements gathering

18

The solution should have the ability for users to
document, manage and report on supplier contract obligations and requirements
relating to information security.

Yes

Supplier assessments can be reported on and tracked to ensure supplier meet their contractual security obligations.

This option can be customized and developed during implementation according to detailed  requirement

19

The solution should support the ability to create different
asset types (for example, ICT assets, Operational Technology Assets,
Information Assets) and the ability to create dependency (secondary) assets
linked to the primary asset.

Yes

An asset heirarchy can be established – However, ISOManager is an ISMS Management tool rather than a CMDB. 

20

The solution should enable a user to set a flag to identify
systems or assets that contain Personally Identifiable Information (PII)

Yes

PII / PCI flags can be established for all assets / systems as required.

21

The solution should enable a user to set a flag to identify
systems or assets that contain payment card information. This is required to
support Payment Card Industry Data Security Standard (PCI DSS) compliance
activities.

Yes

PII / PCI flags can be established for all assets / systems as required.

22

The solution should include workflow functionality that
supports the ability to assign parts of an information security risk
assessment to different subject matter experts (e.g. Contract Management,
Procurement, Architecture, Privacy, Operations and Information Security
teams).

Yes

This option can be further customized and developed during implementation according to detailed  requirement

23

The solution should include a document register that tracks
all documentation (artefacts) related to the Information Security Management
System. This should include the version of documentation and the documents
current status (e.g. DRAFT or APPROVED).

Yes

24

The solution should include a generic risk bank that
contains high-level information security risk statements.

Yes

The solution includes a retailed risk library to assist with assessments.

25

The solution should include an Information Security Incident
Response Module.

Yes

A range of templates can also be provided / constructed to assist with IR plan
development inside ISO Manager.

26

The solution should support the ability to email a person
once they have been allocated a task. The email should originate from the client’s email domain.

Yes

ISO
Manager  supports following activities
though email:

1.    
notification,

2.    
task opening,

3.    
task reopening

4.    
evidence gathering

5.    
training assignment

6.    
survey assignment

Further
functions can be customised upon request.

27

The solution should include a workflow that enables
Information Security Policies and Standards to be sent to stakeholders for
consultation, review, endorsement and approval.

Yes

Actual  workflow will be customized during
implementation according to detailed requirement

28

The solution should have the ability to create architectural
views of assets and the respective dependency assets.

Partial

ISO Manager does not have an integrated network discovery tool – So cannot produce a network architecture or visual heirarchy.

However, it does support the following architectural asset review /reporting options:

1.Assets
based on criticality 1-5

2.Assets
supporting process X, Y , Z

3.Assets
per owner

4.Assets
per responbality

5.Assets
per Risk rating

6.
Assets with a specific dependency

29

 The information
security risk matrix should allow customisation to align to ISO 31000, ISO
27005 or s Risk Management Framework

Yes

ISOManager allows for extensive customisation to support a wide array of standards, including
risk frameworks.

30

The solution should have the ability to assign ‘Low, Medium
or High’ business impact levels for the confidentiality, integrity and
availability of information assets. This supports ’s information security
classification process. 

Yes

31

The solution should have the ability to assign ownership and
treatment officers to different risks.

Yes

ISO Manager provides an easy to use, detailed RTP management solution.

32

The solution should dynamically update a centralised
Statement of Applicability as part of the information security risk
assessment process.

Yes

Unlike standard risk-management platforms, ISO Manager incorporates the end-to-end
ISO27001 certification management lifecycle – including SoA automation.

33

The solution should have the ability for users to
customise CIA values to align to the Queensland Government Information
Security Classification Framework (i.e. Confidentiality levels of ‘OFFICAL,
SESNTIVE and PROTECTED’, Integrity levels of ‘Low, Medium and High’ and
‘Availability’ levels of ‘Low, Medium and High’.

Yes

DLMs can be fully customised.  Govt
markers will be supported out of the box.

34

The solution should require risks contained within
risk assessment reports and risk registers to include both inherent and
residual risk ratings

Yes

Please see Technical Requirements.

35

ISMS Dashboarding must have the ability to display:

• An overview of current
  assets;
• Compliance to ISO 27001,
  other security standards and control requirements;
• Point in time and historical
  data;
• Risks exceeding the current
  risk appetite / tolerance;
• Current and future state
  maturity levels; and

·       Corrective action due dates, including implementation
progress / current status.

Yes

ISO Manager supports a range of customised dashboarding options.

The required dashboard format will depend on the available data. Asset overview, compliance, risk, actions, implemention reporting can be customized and developed during the implementation phase. Data will be required to ensure that dashboards are aligned with expectations.

36

The solution should have an Information Security Calendar
that allows a user to set reminders for security specific tasks (e.g. When a
Policy is due for review, when a security committee meeting is scheduled
etc.)

Yes

ISO Manager  integrates with  Calendar (Exchange, Google, etc).

Calendar Dashboard is an available option.

37

The solution should have a Corrective Actions Register that
allows a user to enter and track the findings of ISO 27001 surveillance
audits.

Yes

38

The solution should include the ability for a user to upload
ISMS documents (e.g. Meeting agendas, minutes, Terms of Reference, Charters)

Yes

39

The solution should log user access, modification and
deletion of information within the system.

Yes

ISO Manager contains detailed logging and audit-trails. 

Every login to system is recorded with IP address. Every add/update/delete data
action is recorded with user name and input details.

40

The solution should have the ability to easily export all
information into a machine-readable format for migration to another Cloud
service provider. Common file formats (including .xlsx, .docx, .pdf) must be
supported.

Yes

Common file formats (including .xlsx, .docx, .pdf) are
supported