IT Infrastructure X-Ray
For ISO27001 you will need to set a scope, meaning you have to decide what is and is not your responsibility from an ISMS (security) perspective.
There are 2 scope definitions:
Scope as defined for external audit = mandatory Documentation for certification. Simply explained: 1 or 2 lines that will describe what you do and what will be published on your certificate document. read more: https://compleye.wiki/compleyeonline/mandatory-documentation/
More important scope definition: the understanding of where your responsibility lies with respect to security (ISO 27001) but also what might be important for the future (Privacy and Quality requirements). That is why at Compleye we use the X-ray – spitting up in X-ray components. In blue the ones that are in scope for ISO 27001 and in red are the ones that you can use for other frameworks or requirements.
During your onboarding X-ray session, we designed and uploaded your first X-ray on your dashboard and we have uploaded all individual components in this section.
You can upload new versions – if your IT infrastructure changes or new components. Make sure when you upload a new X-ray version, you will make the changes in the individual components as well.
There are 2 views of X-ray components:
1. Overview of all X-ray components (below)
Per Components, you have 3 options in this view. (view details, edit details or delete the component).
You can add new components if needed, by making use of the yellow button ADD NEW in the top left corner.
TIP: Only create a new component if it is ‘in business, not a pilot, BusDev project because once you have added it, it becomes part of your ISMS, and that comes with responsibilities to assess, implement and maintain.
Mandatory fields are X-ray component = give a name, Owner, and Type.
Choose what type of component you want to add to the dropdown list. Below is the list of Types of components:
- App – add the name of the app
- Web Portal – meaning a web application for your customer or end-user, your own team – name that product/portal
- Server Environment – your cloud environment (AWS, Google, Azure, local, own server, etc) add the name of the supplier. If you have multiple server environments add more. You will also have to choose if this is outsourced (AWS, Google, etc. ) or if you have your own server on-site. This will create a different template.
- Office Network – this is your office, even if you have an online office and only working remotely – you will need to add this component.
- API/SDK Environment – not every API needs to become a separate component, only if this is a specific part of your product/service
- Other [we are in the process of defining more types of components – in the meantime, you can use this general component template for eg BlockChain environment or other technologies.
If you can’t choose, always pick ‘Other’.
Once chosen a type, it will create a form that you will need to fill in.
- There are helpr buttons to support you with context how to address and document.
- Keep the info high level – you are writing this for 2 reasons:
- external audits and vendor assessments: inform external stakeholders what the purpose of the component is, and what security measures you have in place.
External auditors can be invited to view this information in an observer role to prepare themselves for audits.
You can download a pdf and use it during vendor assessment for external communication.
- Internal stakeholders: inform (new) team members about IT Infrastructure.
- Do not share your most confidential information.
- You can add documents and graphics for better understanding.
- Keep the language understandable for every stakeholder (including those without tech knowledge).
⇒ Once you’ve added and SAVED the X-ray component, you’ve already created and documented the first of 3 Tabs of the X-ray Component.
2. Every X-ray component is divided into 3 different tabs:
General Info – Interactions – Change and Impact
Per tab, we dive into the purpose and usability.
TAB 1 : General Info
See above content: Add a new X-ray Component.
TAB 2 : Interactions
Purpose: By connecting compliance documentation and activities to specific X-ray components, you will be better informed about the impact of changes – due to risks and opportunity assessments.
You’ll perform an ISRA annually – . However, on a more regular basis (think of security meeting topics – ) you’ll make changes and before you can make a decision, you’ll need to have all relevant information available to make proper impact analyses.
That’s why you can connect the following compliance activities and documentation to a component:
OPCs – Recurring compliance activities
Improvements – One-time activities to mature your compliance framework
Policies & Procedures – Documentation that needs to be reviewed on a yearly basis
Suppliers – Organizations that deliver products or services
You can link them (OPC, Improvement, P&P, Supplier) to the X-ray component or you can create a new one from this view. And you can click on the card to be redirected to the specific item.
TAB 3: Change & Impact
Purpose: It’s mandatory to document changes, not only what you have changed, but also why, the impact, and implementation evidence.
Aside from that, you can use this tab for the preparation of 2nd and 3rd audit visits to summarise for auditors what has been changed over the last year. Even better – if the auditor has access to Compleye Online as an observer user, he/she can read and better prepare the audit.
Standard topic during security meetings: check if there are changes made. Per X-ray component you can use the information of the first 2 tabs (general info and interactions) to inform yourself what further impact the change will have on OPCs, Improvements, Policies & Procedures, and Suppliers.
In the Change Management Policy template (check section ‘Templates’ for the document) you have documented how to implement a change and we advise that you use a checklist for this by making use of the section Checklists . You can already create a template for Change Management.
Use the Yellow Top Right button ‘CREATE NEW CHANGE’ to add a change and a form will appear.
Steps to follow:
Give the change a title.
Determine the impact. You can make use of the General and Interactions tab to determine the impact on other compliance elements.
Notes: add additional content if needed.
Add a link to a checklist in Compleye Online or to any other environment (e.g., your own GitHub environment).
Save the Change
- After the change is saved, the owner of the X-ray component can review and approve the change at any time.
|X Ray Component||Free text for the name of the component||Customer Dashboard|
|Component image||Upload the image|
|Owner||Responsible for the component||[Name from drop-down list]|
|Type or component||Select from drop down menu: App/Web Portal/Server Environment/ Office Network/ API/SDK Environment/ Other||App|
|General||Free text field – describe high level the application purpose, functions and/or intended use||[Describe purpose of the app]|
|Access management||Free text field – describe how the access management rights are organised and managed||All access management is documented on Confluence|
|Links to more information||Free text field – name of the source/link + upload a document – for any other relevant product description content or diagrams|
|Security||Free text field – what are the security measures implemented?||Encryption data|
|Monitoring||Free text field – how do you monitor this component of quality, security and availability? Is there a standard report or dashboard in place? How do you monitor incidents?||Monitoring is performed by collection of managed services by Amazon working in union (CloudWatch, CloudTrail, GuardDuty…), Following items are also monitored: RDS database critical metrics (CPU and storage)…|
|Configuration management||Free text field -describe and document how you manage the whole cycle of the security configuration for your technology to ensure a proper level of security and privacy. This includes the measures to prevent unauthorised access, configuration definition, implementation, monitoring, and review taking into consideration technology, operational, and business processes.|
|Information deletion||Free text field -describe your processes implemented for the purposes of data deletion that is no longer required. The data deletion processes are required to avoid leakage of sensitive information and to enable compliance with privacy and other requirements. The information deletion includes the following: deletion in your IT systems, removable media such as laptops, mobiles, or cloud services.|
|Data masking||Free text field -describe how data masking is implemented to protect sensitive data, especially personal data, where it is being used for testing, development, or other purposes where the original data is not needed.|
|Data leakage prevention||Free text field -describe what measures or solutions you have in place to prevent and detect unauthorised disclosure of data from within your organisation to an external entity (for example, with access controls, encryption, monitoring and detection tools, awareness training, etc.).|
|Web filtering||Free text field -describe the filtering measures implemented to prevent access to websites that may pose a security risk.|