Not logged in - Login
View History

Controls

These are included in all policies, processes, procedures, organizational structures and technical controls that could be selected and implemented to ensure risks are reduced to an acceptable level. If using Abriska to conduct an ISO 27001 assessment the controls within ISO 27001 Annex A are included within Abriska.

All controls within Abriska need to be allocated to a control group, this allows control sets to be grouped together i.e. ISO 27001 or NIST Cyber Security Framework.

To add a new control, complete the fields in the form provided. All fields must be completed. Remember to click submit on completion. Controls may be added from other standards such as NIST and PCI DSS. Note that NIST Cyber Security Framework v1.1 and 27001 cover the same control areas, however, one standard may offer more controls in each of these areas than the other. Other control groups may be ISO 27032 (cyber), 27018 (PII in the cloud), and 27017 (cloud security)

Control to Threat Linking

Each control that is loaded into Abriska needs to be related through to the threats that they mitigate. This relationship is used within the risk calculation to calculate how vulnerable a resource is to a particular threat.

For example, consider the risk of computer viruses and malicious code, potential controls that could be implemented include having anti-virus controls and awareness training. If either of these controls are weak then the organisation’s resources could be vulnerable to virus / malicious code.

Control to Threat linking

Warning: Changing the control to threat linking will modify the results of the risk assessment.

Control to Asset/Resource Linking

Each control that is loaded into Abriska also needs to be related through to the resources that they protect. This relationship is used within the risk calculation to calculate how vulnerable a resource is to a particular threat.

By default the relationships are all set to true, therefore each control can potentially reduce the vulnerability of all resources. These setting can be configured when an organisation wishes to conduct a very detailed risk assessment of a certain asset type (for example, paper assets).

Control to Asset Linking

Warning: Changing the control to resource linking will modify the results of the risk assessment.

Control Groups

Control groups are collections of controls. The default group is ISO 27001, selection of the control group will show the control group name and the underpinning maturity model. Additional control groups can be created for extra control sets that are added to Abriska.

See the Video Demonstrations page for a visual guide.

Control Types

Control types allow controls to be grouped into similar areas within a hierarchical structure. For example, the controls within ISO 27001 are structured into a hierarchy:

  • A.5 Information security policies
    • A.5.1 Management direction for information security
  • A.6 Organization of information security
    • A.6.1 Internal organization
    • A.6.2 Mobile devices and teleworking

... Each control must be linked to at least one control type to allow it to display within the statement of applicability (this hierarchy is also used to group controls within the supplier module). To link a control through to a control type, click on the control type and then select view related controls. Controls from a single control group can only be linked through to a single control type.

For more information on using this in practice please click control types setup

Questions

Questions are used within the supplier risk management module to determine the level of control effectiveness for a specific supplier. Additional detail around suppliers is available within the questions section.


Back to Control Maturity Assessment Setup or SRM Setup