Using the ISO 27001 Control Framework with SimpleRisk

Keep Things Simple

Back in 2005, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) created the ISO/IEC 27001 standard on how to manage information security.  Having been revised in 2013 and with yet another update on the horizon, this standard details the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).  This standard, along with the much coveted ISO 27001 audit and certification, have become a gold standard, the world over, for helping organizations make the information assets they hold more secure.  As a result, it has become the single most requested framework to use within SimpleRisk.

In an effort to simplify the use of ISO 27001 for our customers, we reached out ISO to find out what it would take for us to license use of the standard with SimpleRisk.  Our ideal goal was to license it across our entire user base, allowing every SimpleRisk user to be able to leverage their controls, but if that couldn't be accomplished, even being able to license it to customers as one of our paid "Extras", and being able to automatically import these controls upon installation, would go a long way towards making its use more streamlined.  After months of pinging ISO, I finally received a response from someone telling me to contact ANSI with my request, since we are a US-based company.  We finally connected with someone at ANSI in May 2022 who informed us that they can only license us for use with other US companies.  We would have to negotiate deals for every other country we do business in, separately, with their standards organizations.  Additionally, even if we did all of that effort, our customers using ISO 27001 would still be required to pay a per-user licensing fee for their use of the standard.  While we are still attempting to navigate this path, the distributed nature of these standards organizations and the ISO 27001 licensing model has made it virtually impossible for us to offer it as a service to our customers.

Now, just because we can't provide customers with the actual ISO 27001 controls, doesn't mean that ISO 27001 can't be utilized within SimpleRisk.  There are essentially two different ways to use ISO 27001 within SimpleRisk, with one being the path of least resistance, and the preferred path for many reasons:

OPTION #1 - While we would love nothing more to simply give you a one-click installer for ISO 27001, similar to what we do for many other frameworks, many people don't realize that it is a proprietary framework that must be purchased from a standards organization. Once properly licensed through them, you can either manually enter these controls into SimpleRisk or place them in a spreadsheet and then use our Import-Export Extra to map the columns in the spreadsheet to the fields in SimpleRisk and import them.  Unfortunately, this path is complicated by the fact that the ISO 27001 standard is delivered as a PDF document and not in a format that can be easily modified and imported into another platform.  With this in mind, while the actual ISO 27001 controls can be used with SimpleRisk, we typically advise customers to go with option #2.

OPTION #2 - Over the last few years, SimpleRisk has developed a strong partnership with an organization called ComplianceForge.  These guys have created what they call the Secure Controls Framework (SCF), a freely downloadable spreadsheet which maps roughly 1000 security and privacy related controls across 185 different frameworks, with ISO 27001 being one of them.  I cover many of the reasons why using a common controls framework is superior in my blog post on The Massive Benefits of Using a Common Control Framework with your GRC Program, so I won't get into the details here, but SimpleRisk has taken this a step further and built the ComplianceForge SCF into our platform as a freely downloadable Extra for all registered SimpleRisk instances.  Once downloaded and activated, simply go to the "Configure" menu, followed by "Extras" and select "Yes" in the row for the ComplianceForge SCF Extra.  From there, you can select "ISO 27001 v2013" or any other desired framework (NIST, COSO, COBIT, GDPR, etc) from the disabled list on the left and click the right arrow to add it to the enabled list on the right.

ComplianceForge SCF Frameworks

This will map all of the ComplianceForge SCF controls to the appropriate ISO 27001 controls that essentially say the same thing and you can use this to map and verify compliance against the ISO 27001 standard, with the added benefit of being able to also see how these controls map to many other frameworks your organization may be required to adhere to.

Another major benefit of utilizing the ComplianceForge SCF, especially if your organization is just getting started on security, is that SimpleRisk resells the ComplianceForge Digital Security Program (DSP), a series of documents providing the policies, guidelines, standards and control objectives around the SCF, as well as the Cybersecurity Standardized Operating Procedures (CSOP), the recommended operating procedures for the SCF controls.  At all of $10,500 for the bundle, it's an extremely cost-effective way to jump start your security program.

If you'd like to experience for yourself how ISO 27001 works within SimpleRisk and the Secure Controls Framework (SCF), consider signing up for our free 30 day trial.  We look forward to working with you!

control framework GRC standard