We have recently been working hard on the next version of the ISO27001 toolkit, taking into account lots of useful customer feedback, discussion with auditors and our own ideas from using the toolkit and running a certified management system here at CertiKit.
Version 8 is now available and all customers currently within support will receive this update free of charge as part of their subscription.
This update has a heavy emphasis on spreadsheet layout and functionality, with improvements being made to many of the key tools including:
In improving these tools, we have tried to ensure we add useful functionality without introducing undue complication (e.g. we never use macros). Many of the improvements are based around the use of Excel Tables (rather than Ranges) which give more options in look and feel and allow supporting items such as data slicers and auto-update charts to be included. We have also paid some attention to how the tables look when they are printed too, with better print layouts and footers.
A new gap assessment has been created which is questionnaire-based and asks a series of questions related to each section of the standard to provide a reasonable understanding of how close to meeting the standard your organization is. This covers not only the ISO27001 standard but also the ISO27017 and ISO27018 codes of practice for cloud too. For ISO27017 we have split out the controls relevant to a cloud service customer (CSC) from those relevant to a cloud service provider (CSP) so that, even if you’re not a CSP, you can still get value from it.
The requirements-based gap assessment is still in the toolkit, and has been reformatted along the above lines also.
For those who purchased the Enhanced Gap Assessment Tool we have revamped this too, separating out the ISO27017 CSC and CSP requirements and adding a significant number of new charts to present the assessment results in different ways.
The risk assessment and treatment tool has been reformatted with data slicers and additional charts and the addition of a tool to assess opportunities. Consideration of opportunities is required by the standard; these are effectively “good risks” i.e. uncertainties which are likely to have a positive rather than negative effect on the organization.
We have also added a section which gives an example risk for each of the Annex A controls so that you can see where each of the controls might be applicable and as a prompter to identify relevant risks for your assessment.
These two spreadsheet tools have gained a new table layout which can be easily reconfigured using the Excel Table Design ribbon tools, so if you don’t like the standard one we have used, you can change it with a single click. You can also easily add filters, totals, banded columns and, if you’re feeling adventurous, pivot tables and charts.
This required document has been updated to separate out the ISO27017 CSC and CSP and the ISO27018 controls, correct a few errors that were reported and introduce some additional charts. We have also moved the version information to a separate tab and added a definition of some of the terms used on each sheet.
The full ISO text version of the Statement of Applicability provided with the Enhanced Gap Assessment Tool has also been updated along the same lines.
We’ve listened to feedback from some of our customers about our policies and made the language used in some of them stronger e.g. use of the verb “must” rather than “should”. We have also re-introduced a document with the title Information Security Policy to act as an overarching policy with references to the set of lower level policies in the ISMS. Previously the approach was that the combination of an ISMS Policy and the set of lower level policies met the requirements but in the interests of aligning the toolkit as closely as possible with the standard we decided to rename the ISMS Policy as an ISMS Manual and move some of its contents into the Information Security Policy. For the same reasons we have also renamed the Personal Commitment Statement to Acceptable Use Policy as we had quite a few support queries telling us that auditors were expecting to see a document with that title.
We’ve added the role of Risk Owner to the Roles, Responsibilities and Authorities document and corrected a few typos and inaccurate references in a number of other documents. Finally, we have updated the Implementation Guide to reflect the changes and added a section about recommended documentation structure for smaller organizations (mainly if they want to reduce the number of documents).
This update is part of our continuous quest to make our toolkits as useful to the customer as we can and we’d like to thank everyone who has contributed to the improvements in this release. Feedback is very important to us so please keep it coming!
The CertiKit Team