Use Office 365 and SharePoint Online to create an application to manage your ISMS

Overview

Implementing an Information Security Management System (ISMS) is the best way to take a risk-based approach to managing information security risks, including cyber security risks. It is mandated within many industries including Government, Finance and Insurance. Typically, an ISMS will be based on an international security standard such as ISO 27001:2013, PCI DSS or NIST Frameworks (or a combination of these). While it can support compliance initiatives, it can also help organizations identify areas of weakness, improve processes and awareness and communicate to management the important of sufficient funding and resources in this area.

 Traditionally, an ISMS will involve creating a large suite of documentation including:

·       Security policies, standards and procedures

·       Risk assessment templates

·       Risk assessment reports and findings

·       Risk register

·       Asset register

·       ISMS Scope

·       Statement of Applicability

·       Management reporting templates

·       Security awareness training materials

·       Security calendars of tasks and activities

·       Disaster Recovery Plan

·       Meeting minutes

·       Evidence for audit and assurance

·       Security champions lists

Managing all this documentation comes with its own challenges and overheads, including version management issues. Typically, there are two types of companies:

1.     Companies with folders of dozens, if not hundreds, of Word documents, Excel documents and PowerPoint presentations

2.     Companies who invested heavily in customized software to manage the ISMS. This software can be expensive and is typically only affordable for the large banks or ASX top 200 top companies 

The benefits of option 2 over option 1 here are:

·       Single location for project visibility

·       Collaboration

·       Version control maintained

·       Central document repository

·       Draft policy and assessment templates

·       Automation in risk assessment processes

·       Automation in risk assessment results populating management reporting

·       Time tracking and team management integration

·       Access management and security

Each of these benefits can now be realized by simply using some of the newer features of Office 365.  In this blog we are going to run through how you can achieve each of these benefits by using the following O365 components:

1.     Powerapps

2.     Forms

3.     SharePoint Online (Lists and Libraries)

4.     SharePoint Online (Intranet and web pages)

5.     Teams

6.     Planner

7.     Power BI

8.     Flow

Enjoy, and if you have any questions please feel free to reach out to us.

1.     PowerApps

PowerApps, which is included with a standard Office 365 license, is the ideal app to use to create the front end for your application. Below is an example of a PowerApps front end with links created to each of the other sections of the application:

Blog1.jpg

2.     Forms

Each of the security policies you create as part of your ISMS will have separate sections which more than likely have separate owners within the business, e.g. a Vulnerability Management Policy could have a section on Patching, Security scanning, Penetration Testing etc.

An easy was to assess your organization against the controls outlined in each of these sections is by using Microsoft Forms.

Blog2.jpg

You simply email the forms to the right contacts and ask for a response within a certain timeframe:

Blog3.jpg

3.     Flow

When the results of the assessment against your defined policy come back via Microsoft Forms you can then either download the files via Microsoft excel and connect to Power BI using Flow or else connect Forms directly to Flow. The reason you want to connect this data is to automate management reporting following the risk assessments.

The following screenshots show the responses from Forms as well as the connectors to use within Flow:

Blog4.jpg
Blog5.jpg

4.     Power BI

Power Bis is generally used for reporting. It is the perfect place to create dashboards and charts to show your management how your ISMS is progressing. The automation that can be achieved by connecting risk assessments directly to your reporting dashboards can save valuable time and effort.

Blog6.jpg

5.     SharePoint lists and apps

SharePoint lists and apps can be used for various documents that you need as part of your ISMS. They are great for the following:

·       Asset Register

Blog7.jpg

·       Risk Register

Blog8.jpg

·       Statement of Applicability

Blog9.jpg

6.     SharePoint libraries (including document libraries)

SharePoint document libraries will be used to store files and documents created for the ISMS. Files can be checked in and out for the purposes of version control. The screenshots below show three SharePoint document libraries. These contain:

·       Security Standard

·       Critical documentation such as the ISMS Scope

·       Vendor Management Documentation  

Security Standards

Blog10.jpg

Critical ISMS documentation

Blog11.jpg

 

Vendor Management

Blog12.jpg


7.     SharePoint Web Pages

SharePoint Web Pages are typically used for creating Intranets and are the perfect place to tell your staff about all thing’s information security related. Whether it is letting your staff know how to notify the IT department when they receive phishing emails, where your policy is located or how to use multi-factor authentication, SharePoint Web Pages are the perfect landing point for this.

Blog13.jpg

8.     Teams

Teams is a great place for collaboration. Your security team can chat, share files, calendar items and setup video meetings with the rest of the business in here.

Blog14.jpg

9.     Planner

Planner is the ideal app to manage the hundreds of security related tasks and activities that need to be completed by your security team, the IT department and the wider business.

Blog15.jpg