Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Mar 13, 2014

ISO27k Toolkit

On the toolkit theme, I have just updated the FREE ISO27k Toolkit over at ISO27001security.com with an Excel workbook used to track progress on implementing the ISO/IEC 27001 and 27002 standards.

Thanks mostly to Ed Hodgson, the gap analysis/SoA workbook in the ISO27k Toolkit has been updated for the 2013 releases of the standards.

The new version has two main spreadsheets:
  1. The first sheet is used to check and track progress towards implementing an ISMS complying with all the mandatory front parts of ISO/IEC 27001:2013 - mandatory, that is, if you intend to get your ISMS certified.  I made a few little wording changes and editorial decisions in this section, so if you use this for certification purposes, please double-check against the requirements formally specified in the standard and don't rely entirely on the spreadsheet!  The spreadsheet is not definitive.  The standard rules.
  2. The second sheet covers the discretionary parts, namely the controls listed briefly in Annex A of '27001 and explained in more depth in ISO/IEC 27002:2013 plus any controls that you add or change on the list, for example additional legal, regulatory or contractual obligations, or ISO 22301, NIST SP800s or whatever.  Don't be afraid to adapt the list of controls!  '27001 Annex A and '27002 are intended to be 'reasonably comprehensive' starting points, laying out a decent set of good security practices, but your information security risks and hence control requirements are unique to you. 

For both parts, you simply select the relevant colour-coded status indicator from a drop-down list on each item, and record brief notes to explain the situation.  The status levels are adapted from Carnegie Mellon's Capability Maturity Model, showing progress from not-implemented-at-all (bright red) up to fully-implemented-working-and-auditable (dark green), plus grey options for "? unknown" (i.e. status not yet checked) and "Not applicable".

A third metrics spreadsheet simply counts the number of items at each status level in each of the two main sheets, and draws a pair of pretty pie charts showing the proportions ... 


These very simple metrics clearly indicate progress towards a compliant, working, provable ISMS managing a reasonably comprehensive suite of information security controls, as both pies gradually go dark green.  [Pies going green is usually a bad sign, but in this particular case dark green pies are tasty  :-)]   Actually, in Excel, it is easy to generate whatever format charts you like, line graphs showing the trends month-by-month for instance. That's left as an exercise for the reader.

As with all the ISO27k Toolkit items, it is provided free under a Creative Commons license that allows you to use and adapt it as much as you want for your own purposes, and to share it under the same terms (but not to sell it!). 

I take full responsibility for any errors in the spreadsheets.  If/when you find any errors, please let me know.  My Excel skills are rudimentary: I'm sure an Excel wizard would be able to come up with a sexier version, with better error-checking, better usability, more easily extendable, and perhaps more functional.  If you do improve it, please share it back for the benefit of the whole user community.