Not logged in - Login
< back

Controls

These are included in all policies, processes, procedures, organizational structures and technical controls that could be selected and implemented to ensure risks are reduced to an acceptable level. If using Abriska to conduct an ISO 27001 assessment the controls within ISO 27001 Annex A are included within Abriska.

All controls within Abriska need to be allocated to a control group, this allows control sets to be grouped together i.e. ISO 27001 or NIST Cyber Security Framework. Controls may be added from other standards such as NIST and PCI DSS. Note that NIST Cyber Security Framework and 27001 cover similar control areas; however, one standard may offer more controls in each of these areas than the other. Other control groups may be ISO 27032 (cyber), 27018 (PII in the cloud), and 27017 (cloud security).

Control Mapping to Threats and Assets To add a new control, complete the fields in the form provided. All fields must be completed. Remember to click submit on completion.

Control Groups

Control groups are collections of controls. The default group is ISO 27001, selection of the control group will show the control group name and the underpinning maturity model. Additional control groups can be created for extra control sets that are added to Abriska.

See the Video Demonstrations page for a visual guide.

Control Types

Control types allow controls to be grouped into similar areas within a hierarchical structure. For example, the controls within ISO 27001 are structured into a hierarchy:

  • A.5 Organisational controls
    • A.5.1 Policies for information security
  • A.6 People controls
    • A.6.1 Screening
    • A.6.2 Terms and conditionals of employment
      Each control must be linked to at least one control type to allow it to display within the statement of applicability (this hierarchy is also used to group controls within the supplier module). To link a control through to a control type, click on the control type and then select view related controls. Controls from a single control group can only be linked through to a single control type.

For more information on using this in practice, please click Control Setup

Questions

Questions are used within the supplier risk management module to determine the level of control effectiveness for a specific supplier. Additional detail around suppliers is available within the questionsControl Questions for Supplier Due Diligence section.


Back to Control Maturity Assessment Setup or SRM Setup