The Information Security Risk Assessment is the most important risk assessment in the ISMS.
There’s a list of requirements (Chapter 6.1.2) defined for the risk assessment. You’ll need to perform an ISRA on a yearly basis and use the same method every year – to be able to compare outcomes and results.
At Compleye we follow a Continuous Improvement Cycle for all of our Risk Assessments, where we connect Risk Assessment – with Improvements – with Management Review.
This section consists of 2 steps:
Step 1. Perform the ISRA with your ISMS Team
Step 2. Process your findings in the ISRA section
Step 1 – Perform the ISRA
- We ‘ve had numerous conversations with external auditors about the ISRA approach. As this assessment is often subject to the personal interpretation of individual auditors , we ‘ve designed a template that ’s validated by external auditors – working at different audit companies and could stand with all our external audits.
We perform the ISRA on each component of your X-Ray, because every component has different risks to be addressed with different approaches. Every component can have different owners and different people involved. We suggest that you always perform you ISRA first, with all ISMS team members so that everyone understands the process and outcomes.
- There are 2 documents that will help and guide you through ISRA: ISRA Procedure (Word) and I SRA Template (Excel), both can be found in the Template Section. Read the ISRA Procedure first to understand how the ISRA Template works. Upload and approve your ISRA Procedure and Template in your Policies & Procedure Section.
- Then start performing the ISRA by making use of the template. Organize multiple meetings with your ISMS team to go over it. This might be a complex job to perform the first time that you do it.
It will require 2-3 meetings before you have finalized it . The end results are Findings (Column V in the Template) , that you will need to process in Compleye Online .
Once you’ve defined the findings and C-level approved them, you’re ready for Step 2 – Process Findings.
Step 2 – Process your Findings in Compleye Online system
Now that the actual work has been done — performing the ISRA — it’s time to process the findings and turn them into actual Improvements. This is the final step for ISRA and will need to be done by a compliance officer . To make this job easier, you can make use of the suggestion for improvement (owner, title of improvement) during the session. We advise you to do this with the entire ISMS team for the first time, so everyone understands the process and ownership.
- You can simply click on the “Create New ISRA” button at the bottom-left of the page.
- It will open a new tab where you can upload the ISRA document (excel file). This document ca n’t be deleted, but only downloaded once it ’s attached. The ISRA card will be named by the date it ’s uploaded. If you have multiple documents , you can upload more documents ; make sure you upload the main document first.
- After creating the ISRA you can add the findings (copy them from the excel file). You can also attach other relevant documents in the Attachments tab . This is not mandatory.
- When adding a finding , an option to create an improvement will automatically appear in blue.
NOTE: if you don’t create an improvement, you will need to justify to the external auditor why you did not address that finding. Perhaps you have already solved the improvement and added the evidence in ATTACHMENTS. If so, please make sure that you have addressed this in the finding (eg, by adding ‘Already solved by… Evidence can be found in attachment.) We strongly advise creating an improvement for each finding – Improvements will become part of the Management Review and show that you are able to improve and mature your ISMS.
When you create an improvement a new pop-up screen will appear.
- The finding will already be filled in, with the tag ISRA, to identify where this improvement came from.
- You will need to assign an owner who will be responsible for the Improvement.
- Due Date: estimated date for expected first results.
- Once every field is addressed, you can push the ‘create improvement’ button and it will automatically create an improvement with ID in the Improvements section. It will also show in the current ISRA section as ‘Improvement has been created’ .
Now , 2 things are needed: The owner will need to work on the improvement. Please make sure that the owner has access to the board and add an e-mail address in the @people section to ensure that they receive notification on the deadlines for improvements.
Make sure that the owner reads the wiki on the improvement and he /she starts working on the improvement.
The compliance officer will check the progress of all improvements during the monthly security meeting .
- Once the improvement is closed it will be indicated as a ‘green check-box tick’ in the tab along with the date and the person that closed the improvement. Remember that in the ISRA Procedure it is noted that with every new ISRA performed you will need to check if the previous findings have been addressed. So, first make sure that you check that all findings of the last ISRA have been addressed by a closed improvement when you perform the next ISRA.
Define a name for the Improvement – this is not the finding, but e.g., the name of a project/plan that is easily recognisable to the ISMS Team
If finding is ‘Single point of knowledge’, the improvement could be ‘Train 2nd person in tech team‘ .
Person responsible for the improvement
One of your ISMS Team members
Findings of the information security risk assessment. ‘Column G in ISRA Template – tab Risk Assessment’.
Single Point of knowledge is a risk in the team.
Always start with a due date when you want to have your first Improvement milestone ready e.g., when the project plan, proposal or first step needs to be finalised. To be used as a reminder (owner can receive notification 3 days prior to the due date).
Select the date
The Risk Assessment where the finding originated. In this case this will be filled in automatically, because this is the ISRA Section.