We are evaluating options for implementing ISO27001. We believe we will need a tool to manage our documentation and testing of controls, manage risks and support the audit for our certification.
We have seen tools which are just focussed on supporting tasks and documentation (I think of these as a vertical specific JIRA) and others which claim to integrate with our infrastructure and applications (eg: AWS and Salesforce) to “automatically” identify risks, controls and create incidents for review/remediation.
Question:
What system are you using to manage your ISO27001 or similar compliance? How integrated is it with your other systems?
Hey,
In terms of managing our ISO implementation, we used sharepoint lists. We had specific lists that scheduled internal audits, vendor reviews and any other regular activity that needed to be tracked. This worked quite well, and we used Power automate to send calendar invites, summary updates etc. We used SharePoint document storage to handle document versioning, access control and sharing with external consultants. This was a no $$ cost solution as we had SharePoint anyways as part of the o365 suite.
For technical monitoring, we used Rapid7 Vulnerability Management to identify our vulnerabilities across our assets. This tool automatically flagged any endpoint that had a known vulnerability. It sourced its information from their database, CISA and Mitre. This was useful because we could then use Microsoft InTune to push updates if required and we used Microsoft AD for access control. We also used Rapid7 Insight platform to flag security incidents and manage them through to completion. Note the use of Rapid7 and InTune etc is not mandated by ISO, but are tools that help secure your organisation, which is why we use.
So with the use of Office 365 and a couple of other tools, we did not need to look at any tools for ISO management. Remember ISO is a management system, so most of the work is around maintaining documentation (plans, policies and procedures), keeping audit and incident records and tracking the effectiveness of the system, all of this could be managed by existing systems in your enterprise.
If you want a deeper answer on what/how we did, I am happy to take a call.
Ashis
Hi Ashis,
interesting approach - did you get a feel for the effort hours to build internally? I’m assuming you had a dev team that supported you with Power/Sharepoint?
Hi.
I had a team of three and I did most of the PowerAutomate work (including learning it). I should point out, that there is not much work to setting up the SharePoint lists and then applying automation. Its not a coding effort so you don’t need a ‘coder’ but someone that understands the process you need and a bit of logic and flow mind set.