Controls

In this list, all the elements from the 27002 standard are registered. The system is already adapted to the 2022 version of the standard and has all the functions required. You can save a lot of time by having these imported. Contact our support if you want this. Controls are also used by other standards such as 22000 - food safety.

Open

Explanation for some tabs/fields

• Controls

  • Category: choose your own categorization of the security measures if you handle many different types

  • Source: which standard or chapter of the standard these come from, possibly other requirements

  • Responsible: this person owns the security measure itself and will be notified at the next audit

  • Next audit: notice of an audit will be sent to the Responsible on this date and every 14 days thereafter

  • Optional: if the security measure is no longer used, it is "un-tagged".

  • Status: the field makes it easier to choose the right control in Risk, Assets and Purpose. If you choose "4. Not applicable" you must fill in an explanation of why - as 27001 requires. Here you have the choices

    • 1. To be implemented

    • 2. Partially implemented

    • 3. Implemented

    • 4. Not applicable

• Themes and Attributes

  • Here it is chosen according to the 27002:2022 standard

• Action plan

  • When new measures are entered, these can be linked to predefined Action Plans. Since measures have cost fields, the cost picture for the various Action Plans is summarized.

  • Action plans are important to use since one and the same security measure may have to be implemented in several different places and updated several times.

• Risks

  • The security measures can be risk assessed, which in some cases can be very important for how and whether it should be implemented.

Structure

Visually, the structure can be represented in this way:

• A control has a form with several fields as described above.

• One or more actions may be added, each of which can be linked to an Action plan. An action cannot be linked to different "mothers".

• Each control can be risk evaluated. The easiest way is to choose a risk and evaluate it. See the risk module for details.

Open

Videos

• Add and edit security measures: Controls new and edit

• Add safeguards to risk assessment: Risk - Add a Control/Barrier to a Risk Evaluation

Tagging

Controls are used in several places in the system to document where they have an effect:

• Assets under the Actions tab: to show that they affect the current Asset

• Objectives under the Actions tab: to show that they affect the relevant Objective

• Risk: to show that they are helping to reduce the risk / take advantage of the opportunity

Reports

The work with the Controls forms the basis for several IS reports such as the Declaration of Applicability / SOA.