IT Infrastructure X-Ray
The ISO27001 requests a scope for your ISMS – meaning that you will need to define what you will take in scope and what is out scope. Defining components of your IT Infrastructure will help you to define your scope.
Next to that this overview will be a great support during preparation for certification. As it is a great summary of all ISMS information you will need to share with your external auditor at the beginning of the audit.
Once you have added this information – you can create a PDF – and use it during compliance processes with your customers, providing them with general and high level security information on certain parts of your Infrastructure.
First of all – the most important tip – be modest – never add components that you want to develop in future, this is not a sales pitch. Only components that are in place will be part of your scope. It is way easier to build an ISMS with limited components, compared with a very difficult infrastructure and multiple products and services. Starting small is a benefit for you. So no business development plans… limit it to current state.
In this section you can add components, depending on your IT Infrastructure, Value Proposition and Data flows. All the components together will form a Visual of your ISMS Organization – your X-Ray. Below you can find an example of an X-Ray. In this example we have 5 components in place.
1. App environment
2. AWS environment (data storage)
3. Azure-Power BI (data analytics)
4. Web Portal for Customers
5. Separate Web Portal for SuperCoolCustomer Team
You can already prepare some of the components, while we will plan an X-Ray Session and co-create your X-Ray.
- Start with creating components. First check the drop down list (type or component). Every type of component has its own template with request for information.
- Choose the components that are applicable for you – multiple are possible – add a name (top field X-Ray Component ) and Save by making use of the yellow button top right:
- App – add the name of the app
- Web Portal – meaning a web application for your customer or end-user, your own team – name that product/portal
- Server Environment – your cloud environment (AWS, Google, Azure, local, own server etc) add the name of the supplier. If you have multiple server environments add more. You will also have to choose if this is outsourced (AWS, Google etc. ) or if you have your own server at side. This will create different template.
- Office Network – this is your office, even if you have an online office and only working remotely – you will need to add this component.
- API/SDK Environment – not every API needs to become a separate component, only if this is a specific part of your product / service
- other [we are in the process of defining more type of components – in the meantime you can use this general component template for eg BlockChain environment or other technologies.
- If you are not sure – do not add – we will co-create during X-Ray Session.
- Once you have created components – you will be able to edit the content. Every component will have different topics to address and Helper buttons with support tips or questions that help you adding information. Keep the information High Level – make use of adding links to your own wiki environment with more details information – so that Compleye online is linked to evidence in your own environment. You can add documents and graphics for more explanation. Keep the language understandable for everyone, not all auditors or compliance professionals have a good technical background.
- Make sure you add no confidential information – as you might want to use the PDF functionality – for external communication.
- During the X-Ray Session we will check if all components are in place and are needed.
- Once all information is documented, C-level can give an approval after reviewing the content and make use of approval features (see below)
- You will make changes during the year in these environments. (additional securities – features or functionalities). And you will need to adjust the documentation. Small notes can also be made in section Changes (see below) to keep track of these changes. It will be easy to address during audits and keep your ISMS Team and external partners up to date.
X Ray Component
free text for the name of the component
Type or component
select from drop down menu: App/Web Portal/Server Environment/ Office Network/ API/SDK Environment/ Other
free text field – describe high level the Application purpose, functions and/or intended use
[describe purpose of the app]
free text field – describe the authentication features adopted to access and use the API/SDK environment
All login credentials are stored in LastPass
free text field – describe the server environment including the description of each component
free text field – indicate and describe the assets stored in the server environment
free text field – describe how are the access management rights organized and managed
All access management is documented on Confluence
free text field – if applicable describe the process of collection and managing consents obtained for the purpose of processing personal data
consent is prompted during the user registration flow
Type of data collected
free text field – specify the type/categories of personal data collected, stored and processes
self reported information: gender data, year of birth, email address
free text – indicate the key features of the Application
free text field – indicate if there is a setting function available, with the options, including the options that can be changed by user
User flow overview
free text field – name of the document + upload the document functionality
User flow January 2022
Links to more information
free text field – name of the source/link
+ upload a document – for any other relevant product description content or diagram
free text field – what are the security measures implemented?
free text field – how do you monitor this component of quality, security and availability? Is there a standard report or dashboard in place? How do you monitor incidents?
monitoring is performed by collection of managed services by Amazon working in unison (CloudWatch, CloudTrail, GuardDuty…), Following items are also monitored: RDS database critical metrics (CPU and storage)…
+ Add new assessment
Assessment date: select date Finding: free text
Approvals of assessment & findings
+ Add new review
approval date: select + click approve