Select 'Compliance Analysis', in the navigation bar,
Compliance management is available via the "Compliance analysis" option. The basic list is a list of requirements. As mentioned before, these are actually translated security policies that specify requirements for implementing measures.
Select 'Requirements' - 'Manage Requirements'
After selecting the "manage requirements" option, we have a list of requirements as well as the ability to add new requirements. For presentation purposes the list of requirements is very short, but in real implementation it tends to be extensive.
Select 'Requirements' - 'Requirement Controls'
After selecting the menu item "requirement controls", we assign individual requirements to their products - specific measures. Thus, requirements are implemented by measures.
Select 'Compliance Analysis' and select 'Regulations'
Another important dial is the list of standards, best practices or legal requirements accessible via the "regulations" option. This list contains the standards and regulations against which we will subsequently examine the degree of compliance. Examples are ISO27001 or Decree 362/2018, which specifies the requirements of the Cybersecurity Act, or Decree 179/2020, which specifies security measures in terms of the Public Administration IT Act. PCI-DSS, GDPR or any other standard, norm or decree can be added to this list.
Select 'Compliance analysis' - 'ISO27001 - Clauses'
In the system, the clauses of the standard and decrees are loaded in the form of dials and are displayed via selecting the name of the standard and the "clauses" menu item.
Select 'Requirements'
The next step in the compliance rate analysis is to map the individual clauses of the standards and decrees to the organization's security policies, represented as the clause of the standard is selected from the list and assigned a security policy that interprets its requirements. This is done for each clause in the standard. In effect, this performs a gap analysis against a specific standard or legislation - it simply identifies areas that are not yet covered by corporate security documentation, i.e. there is no policy on them.
Select 'Compliance analysis' - 'ISO27001' - 'SOA view'
aOnce the corporate security documentation has been mapped to the relevant clauses of the required standard, it is possible to generate an applicability statement and also evaluate the level of compliance with the requirements of the standard. The report shows which clauses are not covered by any corporate policies and also shows to what extent specific security measures are implemented on our assets. This ensures full visibility and greatly facilitates the process of providing evidence in the event of audits.
Kommentare