To all security officers and managers out there. Would there be any interest in an ISMS Management and reporting toolkit, which could assist in the following:
Planning, management and reporting of:
◦Strategic initiatives (NIST & ISO27001 and customization to suit your needs)
◦Tactical initiatives (Prioritize and track high focus action items)
◦Project initiatives (Track and manage InfoSec related projects)
◦Incident tracking to RCA completion
◦Security posture improvement program, utilizing MITRE attack framework to be used in red/blue team exercise
◦Governance framework tracking policy, standards, process, architecture artefacts and review cycles with RACI model
◦Tracking and reporting on key operational InfoSec areas, covering anti-malware management, patch management, security configuration management, encryption, account management & vulnerability management
◦Drill-down reporting and Roll-up reporting from technical view up to risk management view
I think such toolkits exist already.
There are the various GRC tools. Various of the companies pushing for ISO27001/ISMS certification offer various toolsets either free or fee. There is Apptega, which works with various frameworks, etc.
How does it compare with tools like?
I have attached a sample report from the "ISMS Management & Reporting Toolkit". This is still in a fairly rough state, but this should provide you with an overview in terms of capability and reporting output.
Please provide feedback and let me know if this is something you would be interested in using in your environment.