Control Maturity Overview

3.0 Conducting a CMA 3.1 Assessing controls against the “root” division Controls are assesses against any division within the organisations hierarchy. If a division is assessed then it will either be green or tan, if the control is not assessed at this level it will be indicated with a grey button. This allows different areas of the organisation to have a different level of control maturity, for example, Figure 3 - Division control maturity assessment, shows a demo organisation whereby the overall organisation has been assessed but the support division has specific control (maybe additional controls around screening). Figure 3 - Division control maturity assessment 3.1.1 Non-applicable controls All controls that have been setup within the organisation will be defaulted in and will be applicable to this division; however some of the controls may not be applicable to a specific division / organisation. These can then be excluded from the assessment and any justification given will appear on the Statement of Applicability. 3.2 Assessing controls against an “inherited” division 3.2.1 Control Inheritance For each of the sub divisions the option is given to either inherit the control maturity or specify it specifically at this level. This can be used when a specific sub division requires a control to be implemented to a far higher level. Control Status Indicator Description Inherited The maturity of this control is assessed at a divisional level higher than this division; therefore the maturity does not need to be assessed. Inherited Not Applicable This control is not applicable at a divisional level higher than this division so it not applicable at this division either. Assessed at this division level The maturity of this control needs to be assessed at this division. Abriska User Guide Subject: Abriska User Guide Author: Matt Thomas Document Type: User Guide Page: 8 of 14 Authorised by: Martin Jones Effective Date: March 2011 Version: 1.0 Next Review: September 2011 INTERNAL USE ONLY Control Status Indicator Description Not applicable at this level This control is not applicable at this level (regardless of how this control has been assessed at other level.) 3.3 Assigning Control Owners Applicable controls can be assigned an owner. This allows an individual contact within Abriska who has been granted the “Basic User” role to logon and assess the maturity of that control. Controls can either be assigned an owner individually (by clicking on each control shown in Figure 4 - Applicable Control) or multiple controls can be assigned to a single contact via “Assign Control Owners”. 3.4 Assigning other contacts to a control Only a single contact can be defined as the control owner however additional contacts can be granted access to answer maturity questionnaires by clicking on the control within the control applicability, then clicking “Assign Contacts to Control”. This will then allow a basic user access to assess this control without changing the control owner. 3.5 Control Status & Third Party For each control the option exists to record the current implementation status of this control, the three values available by default are “Fully”, “Partially” or “None”. The reason for this is whilst undertaking certification to ISO 27001 a control, such as 7.2.1 Classification guidelines, may well be well documented within the management system but is not fully implemented within the organisation (for example, documents might exist that do not have a classification). This drop down allows that status to be recorded, this is reported on the Statement of Applicablility. The “Transferred to 3rd Party” flag allows the control to be recorded as being implemented by a third party. Figure 4 - Applicable Control Abriska User Guide Subject: Abriska User Guide Author: Matt Thomas Document Type: User Guide Page: 9 of 14 Authorised by: Martin Jones Effective Date: March 2011 Version: 1.0 Next Review: September 2011 INTERNAL USE ONLY 3.6 Control Maturity Multiple tabs exist on the control maturity page, all tabs can be completed before submitting the page. 3.6.1 Current Implementation Each applicable control needs to be assessed against the predefined maturity model. This should be completed by the control owner for that division and can either be completed by interview or assigned to that individual. Navigation between controls is achievable by clicking on the forward / back navigation in the top right. Figure 5 - Assessing control maturity 3.6.2 Recommended Improvement Each control should be described and the maturity level for that control assigned within the current implementation tab. The recommended improvement tab can then be completed with a recommendation for how that control can be improved and a proposed maturity of that control should the recommendation be implement. There is also the opportunity to enter a proposed date for the recommendation. Figure 5 - Assessing control maturity shows the screen where the control maturity is assessed. This recommendation will then be linked through to a related risk to ensure that the highest priority areas are addressed first. Abriska User Guide Subject: Abriska User Guide Author: Matt Thomas Document Type: User Guide Page: 10 of 14 Authorised by: Martin Jones Effective Date: March 2011 Version: 1.0 Next Review: September 2011 INTERNAL USE ONLY Note: For controls where no recommendation is applicable a statement should be added that states how the control should be maintained and reviewed, the recommended maturity should also be set to the same level as the current maturity. This allow Abriska to calculate an expected risk score once the 3.6.3 Documents There is also a tab within the maturity screen to link to related documents such as policies, procedures or documents that contain evidence. This allows the related documents to be loaded alongside the descriptions for how the control is currently implemented. These document lists will also appear in the “Extended Statement of Applicability” and the “Risk Treatment Plan”. Note: Due to the security setting within the browser local links to resources such as file:/ will not open directly. To open these links either the security setting can be modified or the links can be copied and pasted.