Ensuring compliance: the vital role of information security risk management in ISO/IEC 27001 – #BHHMembersInitiatives

BHH member SoftComply develops solutions for medical device and digital health regulatory compliance in Atlassian Jira and Confluence – making compliance more affordable, automated and fully integrated to software developers’ toolset.

SoftComply has over a 1’000 client companies and several Jira and Confluence apps on Atlassian Marketplace, the latest of which is the Information Security Risk Management app to support compliance with ISO/IEC 27001 – the SoftComply Information Security Risk Manager.

In the app, users can define organisation-wide assets, identify potential risks for each asset and link the controls from ISO 27001 to each risk for mitigation.

Information Security Risk Management plays a pivotal role in ensuring compliance with ISO/IEC 27001, a globally recognized standard for Information Security Management Systems (ISMS). ISO/IEC 27001 outlines a systematic approach to managing sensitive information, and risk management is at the heart of this process.

Integrating Information Security Risk Management with ISO/IEC 27001 compliance is crucial for organizations seeking to protect their valuable information assets and demonstrate their commitment to robust security practices.

By following the systematic risk management process, including the development of a Statement of Applicability, businesses can proactively identify, assess, and mitigate potential threats, while also continuously improving their security measures.

Embracing information security risk management not only ensures compliance with ISO/IEC 27001 but also fosters a culture of security consciousness, safeguarding both the organization’s reputation and its critical data.

Key points of the information security risk management process

  1. Risk Identification: The first step in the information security risk management process involves identifying potential risks to the organization’s information assets. This includes understanding the IT infrastructure, data flow, and types of information stored. A comprehensive risk identification process allows companies to grasp the full spectrum of threats they face and prepares them to effectively address those risks.
  2. Risk Assessment and Analysis: After identifying the risks, a thorough assessment is conducted to evaluate their potential impact and likelihood of occurrence. By analyzing the vulnerabilities and potential consequences of each risk, companies can prioritize their response and allocate resources accordingly. This step provides the foundation for developing a robust risk treatment plan.
  3. Risk Treatment and Mitigation: Based on the risk assessment, organizations develop a risk treatment plan that outlines appropriate controls and countermeasures to mitigate the identified risks effectively. These controls can include technical measures such as encryption, firewalls, and intrusion detection systems, as well as procedural safeguards like employee training and access controls.
  4. Statement of Applicability (SoA): In compliance with ISO/IEC 27001, companies must create a Statement of Applicability (SoA) that outlines which control objectives and controls from the standard are applicable to their specific business context. The SoA is a crucial document that provides transparency regarding the organization’s security measures and the rationale behind their inclusion or exclusion.
  5. Monitoring and Continuous Improvement: Information security risk management is an ongoing and dynamic process. Regular monitoring and evaluation of the effectiveness of implemented controls are essential to identify any emerging risks or changes in the threat landscape. Continuous improvement ensures that the organization remains resilient and adaptive to the evolving security challenges, thereby maintaining compliance with ISO/IEC 27001 and enhancing overall information security posture.

Managing information security risks in Jira

Jira and Confluence, developed by Atlassian, are powerful software products designed for team collaboration and project management. Jira is a comprehensive issue and project tracking tool, while Confluence is a versatile collaboration platform for knowledge sharing and documentation. Together, they form a powerful duo that empowers teams to collaborate effectively, communicate transparently, and achieve their goals with greater efficiency.

The SoftComply Information Security Risk Manager has central repositories for assets, vulnerabilities and controls as well as ready-made templates for information security risk management in Jira.

Asset-Based Risk Management Table

Users of the SoftComply Information Security Risk Managers can manage all their risks in the asset-based risk register where they can format the risk register exactly the way they wish.

Following is a fragment of the Information Security Risk Register displaying the first few columns of the table: the Risk/Threat Progress (initial & current risk score), selected Assets, their related Risks, Risk Categories and Owners.

The SoftComply Information Security Risk Manager comes with a powerful Dashboard with a Checklist monitoring your progress towards compliance with the ISO/IEC 27001 as well as a Traceability Matrix indicating the coverage status between assets, risks and controls.

Users can also generate the Statement of Applicability automatically from the Dashboard.

Checklist of ISO/IEC 27001 Requirements

Users can follow their progress towards ISO/IEC 27001 compliance using the checklist that measures their progress based on the already completed tasks.

Following image is a fragment of the checklist illustrating one of the requirements from the standard and the detailed description of it with checkboxes for task completion.

Traceability between Assets-Risks-Controls

The SoftComply Information Security Risk Manager provides users with a full traceability overview between assets, risks and controls. This helps users understand the coverage status of assets by risks and controls.

Following image illustrates traceability between risks and controls, highlighting the coverage status as well as the risks that are currently without controls.

Risk Model template for Information Security Risks

The SoftComply Information Security Risk Manager comes with a ready-made template for the Risk Model, which you can further customise as needed, illustrated below:

As with the other SoftComply Risk Manager apps, you can report the risks in Confluence with the free SoftComply Risk Manager for Confluence app.

The app can be tried out for free for 30 days from the Atlassian Marketplace page.

To learn more about the SoftComply Information Security Risk Manager on Jira Cloud, feel free to schedule a live demo of the SoftComply app or contact them HERE.