- 1. QUICK START GUIDE
- 2. MANAGING RISKS
- 3. MANAGING CONTROLS, ASSETS AND VULNERABILITIES
- 4. PROJECT SETUP
- 4.1. Overview
- 4.2. Settings
- 4.3. Enabling the Information Security Risk Manager
- 5. LIMITATIONS
1. QUICK START GUIDE
- Create or choose a specific company-managed Jira Project you intend to use for Infosecurity Risk Management.
- Open the InfoSec Dashboard from the global apps page.
- Click on the “Set Up InfoSec Risk Management“ and choose the Jira project from the list of available projects.
- Next, you will see the setup overview (configuration that will be added to the project).
- Confirm the selection to enable the InfoSec Dashboard view.
- On top of the page you will find all related links (Risk Table for risk management, Controls and Assets Register links)
- The dashboard page provides overview of the risk management status, traceability information and ISO/IEC 27001 checklist.
- On the dashboard page you can also track your progress of implementing the ISO/IEC 27001 requirements.
2. MANAGING RISKS
Risk management for InfoSec risks is divided into 2 sheets and managed via the Risk Table view in the selected Jira project.
The risks can be accessed from the InfoSec dashboard (link in the header of the page) or directly from Jira project (Apps -> Risk Manager -> Risk Table).
ISO/IEC 27001 Risk Table consists of 2 sheets:
- Asset-Based Risk Management Table (for your InfoSec Risks);
- Information Security Management System implementation project risks.
Read more about how to customize and operate the risk table from the Risk Manager Plus (Cloud) User Guide.
Risk models can be fully customized i.e. you can set up the risk acceptability criteria and risk characteristics and their descriptions based on your risk management process. The available risk models’ setup guide is also available in the Risk Manager Plus on Cloud User Guide.
3. MANAGING CONTROLS, ASSETS AND VULNERABILITIES
The InfoSec Risk Manager has 3 different Object Registers out-of-the-box:
- ISO/IEC 27001 Annex A Controls;
- Assets Register;
- Vulnerabilities Register.
Read mode about Object Register from the Risk Manager Plus on Cloud User Guide.
The structure and the data in the registers are fully customizable. The ISO/IEC 27001 Controls Register has the recommended structure for the Statement of Applicability document. You can therefore use this register to create and maintain your SOA document.
The two registers (Controls and Assets) are connected to the Risk Table (Asset-Based Risk Table) but you can configure the registers as you need.
We suggest to keep Controls in the register and link your risks to the controls to get adequate traceability information in your InfoSec Dashboard.
Since the traceability information in the Dashboard is pulled from the registers, the traceability information may end up incorrect when your Controls and Assets are not in these registers in the Jira project.
4. PROJECT SETUP
Information Security Risk Management includes the following:
- InfoSec Dashboard with its features can be disabled/enabled from the Settings.
- Risks can also be managed when the InfoSec dashboard is disabled.
Users can change the three sections of the traceability (risk project, controls register, assets register) any time from the InfoSec Settings page in order to get a traceability overview between different objects.
4.3. Enabling the Information Security Risk Manager
To enable risk management in any Jira project you need to assign a risk model to it. You can assign a risk model to a Jira project from 2 different locations:
- from the Risk Models list (on global application page); or
- from the Jira project page (Enable Risk Management first).
You can add/remove additional risk models in the Jira Project settings.
NB! Use the Risk Table view for everyday risk management.
Information Security Risk Manager application is a limited edition of the SoftComply Risk Management Plus application, with the following limitations compared to the Risk Manager Plus app.
- 3 Risk Models are supported in the InfoSec Risk Manager app. The Risk Manager Plus supports an unlimited number of Risk Models.
- Risk Models cannot be added/removed in the InfoSec Risk Manager, only updating of Risk Models is allowed.
- 3 dimensional Risk Matrix is not supported in the InfoSec Risk Manager while it is supported in the Risk Manager Plus.
- 2 Risk Tables are supported in the InfoSec Risk Manager app. The Risk Manager Plus supports an unlimited number of different Risk Tables.
- Sheets in the Risk Tables of the InfoSec Risk Manager cannot be added or removed.
- 3 Object Registers are supported in the InfoSec Risk Manager. The Risk Manager Plus supports an unlimited number of Registers.