Forum Discussion
ISO/IEC 27001 ISMS in SharePoint Online - Mapping controls to risks
After some guidance on an approach to the following challenge please... I'd like to extend the very basic functionality of a simple risk register SP list by recording existing or required ISO 270...
Isn't this as easy as creating a separate list with all Annex A controls and then in the risk register you create a Lookup column pointing to the Controls list. You can have it as a multi-select.
I suppose this covers your need?
BTW I'm currently managing our ISMS on top of SharePoint in order to keep track of all ISO27001 requirements. I feel that a lot of companies want to have the same and therefore I'm thinking of launching a commercial template framework that can help companies to immediately kick-off a certification project out of the box.
Would anybody be interested in paying for such template package?
I suppose this covers your need?
BTW I'm currently managing our ISMS on top of SharePoint in order to keep track of all ISO27001 requirements. I feel that a lot of companies want to have the same and therefore I'm thinking of launching a commercial template framework that can help companies to immediately kick-off a certification project out of the box.
Would anybody be interested in paying for such template package?
- I'm in the process of looking at moving from my older excel templates to something a bit more usable within SP. I'm also involved in a project looking at mapping other standards too, as part of defining security standards relevant to education settings ... so whatever I have within SP needs to be able to flow out to external resources.
- PowerAutomate is pretty useful for flowing actions / data out of SP to other resources - there's a bunch of connectors to other systems if simple email isnt sufficient.
As far as mapping to other standards, I'm sure you're aware that there's already heaps of resources available for mapping controls - just be aware that many these mappings forget that ISO 27001 is more than just the controls in Annex A. The management system processes in clauses 4 - 10 also need to be mapped...
- Sorry again GuVdv, missed seeing that you'd responded due O365 quarantine 😞
I'll take a look at creating a seperate list and inserting a lookup column - sounds within my very meagre capabilities 🙂
Re SP-based ISMS - based on my experience supporting SMEs on their ISMS, I reckon there's a potential market.
I work with a range of clients, all of which find M365 a useful platform for managing the ISMS. I've migrated various elements of client ISMS to SP lists, set up Planner boards and configured PowerAutomate to create scheduled tasks and reports. Examples of how used include document registers with alerts on doc reviews, supplier risk assessment and review lists with alerts to relationship owner when review is due, Planner boards for risk treatment and improvement actions with usual To Do, In Progress, Blocked, and Complete boards, Info and HW asset registers etc.
There's so much more that could be done if you know SP and the other integrated M365 apps such as PowerAutomate, Planner etc. One area that I think would go down well is an ISMS dashboard with some pretty graphs and charts (risk position, open actions, overdue actions, actions per ISMS team/role, etc).
Happy to discuss sometime if you want to explore scope of what could be done - I have some knowledge of 27001 - I've implemented in a number of companies, I provide ISMS management and support on a freelance basis, I audit ISMS (internal and CB), and (for my sins) I sit on IST/33/1, the UK National Standards Body Committee that help develop the standard.
