Forum Discussion
ISO/IEC 27001 ISMS in SharePoint Online - Mapping controls to risks
After some guidance on an approach to the following challenge please...
I'd like to extend the very basic functionality of a simple risk register SP list by recording existing or required ISO 27001 Annex A information security controls for each risk entry - as there are 114 controls in ISO/IEC 27001:2013 and 93 controls in the newly released 2022 version, I dont think a simple choice column is going to be appropriate.
In my current list, I have a multi-line text column that is used to describe the current control environment - ideally I'd like to have another column with some form of multi-select pick list that could be used to map the text descriptions to one or more ISO 27001 Annex A controls.
Similarly, I have a multi-line text field for describing necessary risk treatment actions and I'd like to have another column mapping these to one or more Annex A controls.
The nirvana would be to the ability to use the controls selected in these new columns to populate another list recording all controls that have been selected.
Any suggestions on how this could be implemented in M365 SharePoint would be gratefully received.
Thanks in advance
- Isn't this as easy as creating a separate list with all Annex A controls and then in the risk register you create a Lookup column pointing to the Controls list. You can have it as a multi-select.
I suppose this covers your need?
BTW I'm currently managing our ISMS on top of SharePoint in order to keep track of all ISO27001 requirements. I feel that a lot of companies want to have the same and therefore I'm thinking of launching a commercial template framework that can help companies to immediately kick-off a certification project out of the box.
Would anybody be interested in paying for such template package?- I'm in the process of looking at moving from my older excel templates to something a bit more usable within SP. I'm also involved in a project looking at mapping other standards too, as part of defining security standards relevant to education settings ... so whatever I have within SP needs to be able to flow out to external resources.
- PowerAutomate is pretty useful for flowing actions / data out of SP to other resources - there's a bunch of connectors to other systems if simple email isnt sufficient.
As far as mapping to other standards, I'm sure you're aware that there's already heaps of resources available for mapping controls - just be aware that many these mappings forget that ISO 27001 is more than just the controls in Annex A. The management system processes in clauses 4 - 10 also need to be mapped...
- Sorry again GuVdv, missed seeing that you'd responded due O365 quarantine 😞
I'll take a look at creating a seperate list and inserting a lookup column - sounds within my very meagre capabilities 🙂
Re SP-based ISMS - based on my experience supporting SMEs on their ISMS, I reckon there's a potential market.
I work with a range of clients, all of which find M365 a useful platform for managing the ISMS. I've migrated various elements of client ISMS to SP lists, set up Planner boards and configured PowerAutomate to create scheduled tasks and reports. Examples of how used include document registers with alerts on doc reviews, supplier risk assessment and review lists with alerts to relationship owner when review is due, Planner boards for risk treatment and improvement actions with usual To Do, In Progress, Blocked, and Complete boards, Info and HW asset registers etc.
There's so much more that could be done if you know SP and the other integrated M365 apps such as PowerAutomate, Planner etc. One area that I think would go down well is an ISMS dashboard with some pretty graphs and charts (risk position, open actions, overdue actions, actions per ISMS team/role, etc).
Happy to discuss sometime if you want to explore scope of what could be done - I have some knowledge of 27001 - I've implemented in a number of companies, I provide ISMS management and support on a freelance basis, I audit ISMS (internal and CB), and (for my sins) I sit on IST/33/1, the UK National Standards Body Committee that help develop the standard.
Clause9 I think you would need to do this with Power Apps with the 93 controls, the control environments and the controls selected as separate lists as your data source. It could be done either as a Power Apps customised form in your "main" list (the controls selected?) or as a standalone app. The 93 controls would be checkboxes or toggles, probably checkboxes, and you'd add a save button to the form to patch what is selected to the relevant lists.
If you can post a few screenshots with examples of the data I couldshow you better how to build it.
Rob
Los Gallardos
Intranet, SharePoint and Power Platform Manager (and classic 1967 Morris Traveller driver)- Hi Rob, really sorry for the lack of response to your post; good old O365 filter blocked the message informing me that I had a response and I havent visited my email quarantine page since the Christmas break!! Anyhoo, have now seen it....
Re PowerApps customised form - sounds great but I've no idea what this would look like or how it would work so any guidance would be greatly appreciated.
As far as a screen shot of as-is, not sure if this would help as I dont have anything worth referencing. There's a simple multi-line text column for a description of the current controls (e.g. "We carry out pre-employment screening, all personnel have contracts of employment") but nothing (yet) for recording the actual controls selected from (in this case) Annex A of ISO 27001 (e.g. A.6.1 - Screening, A.6.2 - Terms and conditions of employment) that would align with the text-based description.
Any guidance or tips would be really useful...
- Dear Caluse9,
Though I am not SsharePoint expert, I am in the exact same boat of situation where I am trying to map ISMS beyond Risk Register in SharePoint Online.
Eager to know any updates from Microsoft.
Regards
Atul
