cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
charlpl
Newcomer II

ISMS management and reporting toolkit

To all security officers and managers out there. Would there be any interest in an ISMS Management and reporting toolkit, which could assist in the following:

 

Planning, management and reporting of:
◦Strategic initiatives (NIST & ISO27001 and customization to suit your needs)
◦Tactical initiatives (Prioritize and track high focus action items)
◦Project initiatives (Track and manage InfoSec related projects)
◦Audit findings
◦Incident tracking to RCA completion
◦Security posture improvement program, utilizing MITRE attack framework to be used in red/blue team exercise
◦Governance framework tracking policy, standards, process, architecture artefacts and review cycles with RACI model
◦Tracking and reporting on key operational InfoSec areas, covering anti-malware management, patch management, security configuration management, encryption, account management & vulnerability management
◦Drill-down reporting and Roll-up reporting from technical view up to risk management view

5 Replies
emb021
Advocate I

I think such toolkits exist already.

 

There are the various GRC tools.  Various of the companies pushing for ISO27001/ISMS certification offer various toolsets either free or fee.  There is Apptega, which works with various frameworks, etc.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
charlpl
Newcomer II

Hi. Thanks for response. However this tool also provides fine grained security controls and testing in red/blue team scenario using very specific attack vectors as guidelines by MITRE.  The tool also does very fine grained management of infosec tasks across all areas of ops, strategy, audit, projects and attack vectors.

Sent from Yahoo Mail on Android
Wayne_Evans
Newcomer III

How does it compare with tools like?
https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/

 

 

Kind Regards,

 

Wayne

charlpl
Newcomer II

Hi

 
Ciscat pro only does secure configuration auditing against CIS. This tool would essentially ingest that information and spit out trend reporting on CIS compliance for example. Other information would also be ingested such antimalware, patch management, account management etc. That is just from an operational reporting point of view. Other reports would provide technical data which could roll up to risk reporting to cover areas such as strategy(iso27001 or NIST). Infosec project management and reporting, audit tracking, red/blue team planning for all attack vectors, based on all the above a tactical plan can be formulated to address all high risk priority items. The management, task tracking and reporting will al be done within this tool
charlpl
Newcomer II

Hi All

I have attached a sample report from the "ISMS Management & Reporting Toolkit". This is still in a fairly rough state, but this should provide you with an overview in terms of capability and reporting output.
Please provide feedback and let me know if this is something you would be interested in using in your environment.

 

Sample ISMS Report


Regards