erisk helps you manage information security and data protection
Flexibility in configuration and adjustment to ISO standards.
Security, automation and the ability to develop the tool.
Chmura Krajowa is today the most specialized provider of cloud computing solutions on the Polish market. The company’s goal is to accelerate the digital transformation of Polish enterprises and public institutions. Digitization increases the pace of development, lowers operating costs and provides tools that allow enterprises to innovate flexibly, adapting products and services to rapidly changing market expectations. For an organization to be able to operate in this way, it needs a well-prepared and effectively conducted digital transformation.
Cloud computing is an essential element of this process, as more and more modern technologies are developed exclusively in the cloud environment. The cloud closely ties expenses to the resources actually used. It provides scalability, increases the reliability and security of the IT environment. It supports the use of agile methodologies and enables the automation of repetitive processes. The use of a cloud-native approach, in which agile applications and systems are developed from scratch in the cloud, accelerates the implementation of new projects and the process of continuous improvement of already implemented solutions.
The aim of the project was to implement and certify an information security management system compliant with the requirements of the ISO 27001 standard. For the client, it was important to fully automate processes and ensure maximum security, as the tool was to support the area of personal data protection. The solution was to be advanced enough to enable business impact analysis (BIA), development of the minimum acceptable configuration (MAC), business continuity risk management, as well as reporting in accordance with the requirements of ISO 27001, ISO 27017, ISO 27018 and the CSA CCM standard. In addition, the client wanted the ability to freely improve the existing processes, which gave priority to the tool’s full flexibility, enabling the introduction of necessary changes in the future. All these requirements were met by erisk.
The project was implemented in the period December 2019 – January 2020 and was divided into several stages, including implementation in individual areas (information security, business continuity, personal data protection). It was crucial to carry out the work in such a way as not to violate the previously implemented methodologies and not to pose a threat to the collected data.
We handed over the license
We provided the software in the form of an annual access license to the erisk tool. Thanks to the application in the SaaS model, the client reduced the costs necessary to install, maintain, update and ensure the required security.
We prepared test and production environments
In accordance with the best practices regarding information security, we launched two work environments: a test one for database design, configuration work, tests and training, and a production one, in which the first iteration of the information security risk management process was carried out.
We developed an implementation concept
We analyzed the methodologies used for information security risk analysis, risk register and the structure of roles and responsibilities. On this basis, we developed the main assumptions for the structure of forms and permissions in erisk. Thanks to the active cooperation of working teams, we refined the structure of the database, which fully met the needs of the organization.
We conducted workshops
We divided the training into two groups: for content administrators and for risk owners. We presented the functions of the tool that directly related to the daily work of erisk users. The workshop form enabled the participants to get to know the tool in practice and practice the implementation of tasks as part of the risk management process on their own.
We configured the tool according to ISO 27001
The next step was the configuration and implementation of data into erisk software in the field of information security management standard (ISO 27001). We prepared forms, scripts, prompts, reports and libraries, including a library of control/security measures. An innovative feature here was the assessment mode, which allows you to fill in the data in the risk treatment plan form depending on the type of procedure selected (risk minimization, risk acceptance, risk avoidance, risk transfer). Importantly, the applied solution gives a great deal of freedom in developing the use of the tool in the future by implementing other management areas.
After the forms in the database were fully configured, we proceeded to configure user roles and grant authorizations in accordance with the established structure, and to implement data on the security risk of information collected in the risk register. At the end, we conducted acceptance tests in accordance with the established scenarios – the test ended with a positive result.
We configured the tool in accordance with ISO 22301 and GDPR
In the next step, we looked at business continuity management solutions. Thanks to this, we detected a gap that indicated the need to create dedicated forms for conducting systematic BIA and business continuity risk analysis, including control measures and risk management plans. As part of the GDPR area, we implemented a register of processing activities, the DPIA analysis process and the risk management process. We put emphasis on the greatest possible consistency and uniformity with the areas of information security and business continuity in the approach to building risk management forms while maintaining the necessary individuality.
We provided technical assistance
As part of the service, we activated a support access account, thanks to which the client gained technical assistance during implementation work and after the project was completed. As part of the additional assistance lasting a year from the launch of erisk, we performed additional configuration services and prepared the necessary reports, including a risk map and a CSA CCM report.
Information security risk management in accordance with ISO 27001
Information security risk management in accordance with ISO 27005
Risk analysis in accordance with GDPR
Business Continuity Management in accordance with ISO 22301
Requirements of CSA CCM
Security management and generation of the statement of applicability according to ISO 27001, ISO 27017 and ISO 27018
What did the client gain?
- A dedicated and fully adapted tool in the SaaS cloud model, which can be freely developed and adapted to the changing needs of the organization.
- Comprehensive computerization of processes related to the requirements of ISO 27001, ISO 27017, ISO 27018, ISO 27005, ISO 22301, CSA CCM and GDPR standards.
- Increasing the efficiency of information security risk management and business continuity thanks to automation.
- Reducing the workload of generating reports and data for the purposes of audits, controls, analyses by ensuring quick access to up-to-date and consistent data.