Controls

Controls are an important topic in the ISO27001 standard, Annex A consist of 113 controls.
Most important is that you will need to define what controls you will have in place and how you address these controls. 

We address Annex A Controls in the Statement of Applicability – and during Internal Audit all the controls will be checked. Above all, we have addressed and embedded a lot of controls in Compleye Online and/or in the Templates we provide. However you will need to define controls that are effective and useful for your organisation.

First the basics and get your self introduced to the way Compleye Online is handling controls.  

A control is an activity that will need to be performed on a regular base, to reduce a potential risk and need to be evaluated at least on a yearly base on its effectiveness. We have created 2 overview for Controls:

  1. Schedule View  – overview of controls in order they will need to be performed. Easy to use during security meetings, to check what controls are overdue. 
  2. List View – complete overview of all Controls defined, easy to use to select on specific owner, type or status.  

Also the place where you can choose a particular time frame (Start month – End month) – default setting is always 1 year real time. 
Do not forget to add tips/notes – in procedures/info feature – for yourself and your team members. 

Throughout the wiki, we mention often – do not forget to define a control. E.g. when performing an assessment or when you customize your policies and procedures. It is easy to Add a control – while performing these jobs. Just fill in the mandatory fields to create the control. You can always – in later stage change and add the content. It is the best tip we can give you, while working on your ISMS – do not think… yes I will do that later… do it right now. So you will not forget and you do not have to make notes. 

In Chapter What – explanation and examples, you can find more info on the screens and fields.  When defining a control you will need at least to fill in the fields marked with * before you can save it.  Once you save the control (the first time) the Control Execution form on the right side will appear. 

On the left side of your screen the Control Details (with information on When, Who, How, What) is the core and Control Executions is created once you have added the Starting month and Frequency – it will create (and plan) time frames in which the controls must be executed. 

TIP: if you just want to add a control and will finalize it in later stage – make sure your Start Month is in far in future – otherwise Compleye Online is already planning your controls, while you are may not ready for it. 

You can always change the frequency – the control executions will adapt. If executions are already planned – you can skip them or change the status. 

Let’s try to setup your first control – we pick a control that needs to be in place for ISO27001 anyway – can not go wrong 🙂

E.g. [Add new control]

  • Control Name:  Review HW Asset List
    – you will need to review your HW Asset list at least once a year. (of course this will also be part of your On/Offboarding procedure of your staff – however, people change laptops/mobile throughout the year, and perhaps that is not registered) 
  • Assign an owner : Someone from your ISMS Team is always the owner 
  • Start month : today + 3 month. no need to pressure yourself, you have probably checked it recently.
  • Frequency : once a year (that is mandatory for ISO27001, you can do more often if you like)
  • Control Type : this is functionality in case you adopt more frameworks/standards and want to have an overview of controls for 1 particular standard. if this is your first, then choose ISO27001- security
  • Procedure: Describe how you will perform the check. If you make use of Compleye Online – Asset Management  overview it can something like this: The person performing this control is the person responsible for all the HW in the organization and will make use of the Asset Management overview in Compleye Online. First will check (by making use of the Activity log if any changes have been made within 1 year) and (eg) sends an email to the team, with question – did anyone switch from laptop/mobile phone. Checks this information with the overview and adjust accordingly. 
  • Definition of Evidence : In the activity log of Asset Management Section, there is a possibility to download the activity log. A pdf of the date of execution will be added as evidence. [use the Datepicker] General instructions for evidence creation:
        • use screenshots of the tests where date and actions performed are clearly visible and readable
        • non editable versions of the document/file –
        • description of the evidence – avoid using general and vague, non-descriptive approval inputs
    • Documents: For complex control you add a document to support this controls
    • Remarks : this field can be used if you make changes or want to add extra information (in case you want to archive this control in future)
    • If you save this control: you will be lead back to the Schedule View and see that the control is created + 3 months from now. 
    • Open the control again – by clicking on the card: You will see that next to your Control Details, your first Control Execution is being created. 

      Left side of your screen:

    image-1643974366523.png

    Right side of your Screen

    image-1643974473058.png

    Now imagine that you will need to execute this control, you will edit this this part (use the pen icon next to status Open)

    image-1643974659125.png

    And a new screen will appear :

    image-1643974613073.png

    Control Interval

    That is pre-set [combination of set frequency and starting months]

    Assigned to

    The Owner can assign the execution to someone else. 

    Status

    You can choose different status – Change this one, after you have executed the control.

    Open – default status

    Ready for Evaluation – if you performed the control and want to discuss/evaluate with (eg.) ISMS Team about the outcome, performance or if you want to change things.

    Finalized – you have executed the control and are happy with the result.

    Skipped – there is a good reason why you did not performed this execution and there is no need for evaluation with ISMS Team. 

    Rescheduled – in case that a Start Month is changed or frequency

    Executed by

    The person assigned can assign someone else – e.g. holidays or other reasons

    Execution Proof

    You will perform according to the control details – procedure.

    Has the effectiveness of the control been verified?

    This part is not mandatory for ISO27001 – however will be for other Standards (e.g. ISAE/SOC2). However it is an easy step to take to keep your ISMS lean – because if you are performing controls that are not efficient, effective, always on time etc. we should change that. 

    So if you just take 1 minute to ask your self the following questions: 

    Choose Yes if you agree with the Effectiveness Check – Control Questions. Make sure you have add evidence and choose status Finalized.

    Choose No is you think it is time change something. In this case you will need to add a remark (will pop-up automatically) and choose the status Ready for Evaluation

    Documents / Links

    It is mandatory to upload evidence – If you cannot prove it, it did not happen. 

    In this case you will add a pdf of the activity log (of the date of execution) of Asset Management  – according to the evidence written in the Control Details.

    image-1643976256168.png

     Status of Controls in Schedule View – Some rules:

    • The status will define how the executions will be shown.
    • During the month (actual date) – any status will be shown for all of the controls
    • If the month passes, the one with status Open and Ready for Evaluation – will still be visible  in the top row – Overdue
    • Skipped and Finalized with not be in this overview anymore. 
    • So if you skipped an execution… make sure you have a remark set – to justify. 
    • in case you have changed the frequency of control or the Start date you can label it as rescheduled 

    Why did we organized it in this way? 
    During Security Meetings  it will be very easy to keep track of the performance of the controls. 
    We first will address the overdue task (also the once that might be executed, however need evaluation). 
    and next to that you can easily check how many controls are planned for next month. 

    Now… that is long content – hopefully together with the example, it made clear how to address. Important is that you will define controls that make sense and that are very practical written. So during the implementation (DIY Roadmap) you will get tips from us to add a control. Second part is much harder.. you will need to read and customize your policies and procedures and while doing that you will define yourself controls. 

    Below a list of controls that we advise to implement – based on our experience, to get your started. This is list not complete, because you will add more during customization process of policies and procedures. 

    Control

    Frequency

    Check your Asset Management Overview

    every 6 months

    Check your SW Access Overview

    every 6 months

    Check your Suppliers Overview

    every year

    Check your Preventive Actions (from security incidents)

    every 6 months

    Review your Contract Templates

    every year

    Review your policies & procedures

    every year

    Perform Pen Test

    every year

    Perform Security Awareness Training

    every year

    Assess your ISMS Team (resources, competences)

    every year

    Test your Disaster Recovery Plan

    every year

    Review your security metrics (including incidents)

    monthly

    Perform Data Restore Test

    every 2 months

    Perform Source Code Restore Test

    every 6 months

    Setup yearly ISMS operational planning

    yearly

    OWASP Top 10 Test

    every 3 months

    Perform High Risk Supplier Assessment

    yearly

    Perform ISRA

    yearly

    Perform DPIA / GDPR

    yearly

    One final remark : If you read this, it might look like a huge administration job. Please keep in mind, that @Compleye we are doing our best to make your life easier at least on the documentation and administration part.  Once you have setup these controls, … the actual time to administrate these control execution jobs is minor and the focus is on the activity to get the security of your organization to the next level. 

    Add new control

    Field Name Description Example
    Control name free text field – write what is the control for Database restore test
    Owner select from drop down list who is responsible for executing / performing the control {name}
    Start month select the date when control will need to be performed for the first time  {date from now till +3 months}
    Frequency select from the drop down list frequency at which control needs to be performed. Make sure you check mandatory frequencies for mandatory controls by ISO27001  once a year
    Control type select from the drop down list type of the control – this is functionality for when you are adopting more than one standard, so you can distinguish controls between standards for your own overview. if security ISO 27001 is the only one at the moment, select ISO27001- security ISO27001- security
    Procedure free text field – Describe how you will perform the check. the CTO will perform a database restore test (would be nice to have the possibility to add a document as well.
    Definition of evidence free text field – explain what are you enclosing as the evidence of control being performed – refer to section above  we will need screenshots of the performed activities, with visible dates and person who performed the control.
    Documents  + upload – here you upload any supporting templating, procedure, document that is relevant to performing the control   
    Remarks free text field – leave a note, extra info, or a follow up   

    Execute the control

    Field Name Description Example
    Control interval That is pre-set [combination of set frequency and starting months] Feb 01, 2022 – Mar 31, 2022
    Assigned to  select from drop down list who is assigned to execute the control. The Owner can assign the execution to someone else besides himself {name}
    Status

    select from drop down list – open/ ready for evaluation/ finalized/ skipped. “Open” is set as default, you need to change it manually when the control is executed. Refer to “how” section of this wiki page for more clarification on status

    open
    Executed by select from drop down list who executed the control. The person assigned can assign someone else – e.g. holidays or other reasons {name}
    Execution proof    
    Has the effectiveness of the control been verified?

    This part is not mandatory for ISO27001 – however will be for other Standards (e.g. ISAE/SOC2). However it is an easy step to take to keep your ISMS lean – because if you are performing controls that are not efficient, effective, always on time etc. we should change that. 

    Read the effectiveness guidelines:

    image-1643974821164.png

    Choose Yes if you agree with the Effectiveness Check – Control Questions. Make sure you added the evidence and selected status Finalized.

    Choose No is you think it is time to change something. In this case you will need to add a remark (will pop-up automatically) and choose the status Ready for Evaluation

     
    Documents / Links

    It is mandatory to upload evidence – If you cannot prove it, it did not happen. 

    upload the pdf of data base restore test run with the date and reuslt
    Was this article helpful?
    0 out of 5 stars
    5 Stars 0%
    4 Stars 0%
    3 Stars 0%
    2 Stars 0%
    1 Stars 0%
    How can we improve this article?
    Please submit the reason for your vote so that we can improve the article.