Not logged in - Login
View History

Controls

These are included in all policies, processes, procedures, organizational structures and technical controls that could be selected and implemented to ensure risks are reduced to an acceptable level. If using Abriska to conduct an ISO 27001 assessment the controls within ISO 27001 Annex A are included within Abriska.

All controls within Abriska need to be allocated to a control group, this allows control sets to be grouped together i.e. ISO 27001 or NIST Cyber Security Framework. Controls may be added from other standards such as NIST and PCI DSS. Note that NIST Cyber Security Framework and 27001 cover similar control areas; however, one standard may offer more controls in each of these areas than the other. Other control groups may be ISO 27032 (cyber), 27018 (PII in the cloud), and 27017 (cloud security).

Control Groups

Control groups are collections of controls. The default group is ISO 27001, selection of the control group will show the control group name and the underpinning maturity model. Additional control groups can be created for extra control sets that are added to Abriska.

See the Video Demonstrations page for a visual guide.

Control Types

Control types allow controls to be grouped into similar areas within a hierarchical structure. For example, the controls within ISO 27001 are structured into a hierarchy:

  • A.5 Organisational controls
    • A.5.1 Policies for information security
  • A.6 People controls
    • A.6.1 Screening
    • A.6.2 Terms and conditions of employment
      Each control must be linked to at least one control type to allow it to display within the statement of applicability (this hierarchy is also used to group controls within the supplier module). To link a control through to a control type, click on the control type and then select view related controls. Controls from a single control group can only be linked through to a single control type.

For more information on using this in practice, please click Control Setup

Abriska 27001 Background Mapping

Mapping between controls and threats, controls and assets and threats and assets underpins the risk calculation for Abriska 27001 to produce the risk register scores.
For details on the mapping between these areas, please see Control Mapping to Threats and Assets.

Other Control Setup

When in a control from the setup page, you may notice additional options if multiple Abriska modules are in use, such as Abriska 19011 and Abriska 27036. These additional options may be;
  • 'View Linked Categories' - This is part of Abriska 27036 for assigning controls to different caegories and refinding questions. See SRM Setup
  • 'View Questions' - This is part of Abriska 27036 to determine the level of control effectiveness for a specific supplier, see SRM Setup
  • 'Test Scripts' - This is part of Abriska 19011, test scripts can be used as evidence prompts within audits against clauses or controls. See Test Scripts



Back to Control Maturity Assessment Setup or SRM Setup