Information Security Risk Management

Stay informed and in control
Identify, mitigate and manage risks to your organisations data, systems and activities. InfoSaaS allows you to stay in control of your threats and vulnerabilities through an effective risk management approach, intuitive workflows and real-time reporting and escalations. It is worth noting that our risk management framework meets the requirements of the international standard ISO27005 and currently supports the ISO27001 certifications of hundreds of organisations across the world.
“Customers using InfoSaaS to manage their information security risks typically identify up to 50% more areas requiring their urgent attention than conventional, non-quantitative approaches”.

How InfoSaaS helps ...
Policy and Approach

A mandatory requirement of the ISO27001 standard is for organisations to manage risks. There needs to be a documented approach to how these activities are delivered, which is communicated to stakeholders.
InfoSaaS promotes its trusted risk management methodology. This is communicated through the Information Security Policy and Implementation Manual templates which are part of our Document Packs.
Assets, Threats and Vulnerabilities

An effective ISMS needs to identify all of your information data and supporting assets, which may include premises, hardware, software, cloud services and media (amongst others).
InfoSaaS provides a comprehensive set of asset-based risk assessment templates, containing a wide variety of applicable threats and vulnerabilities which have been tailored to the risks of each asset type.
Everything is completely customisable to meet your organisation’s individual needs quickly and easily.
Completion of Risk Assessments

InfoSaaS delivers an intuitive and easy to use asset risk assessment solution. It allows the quantitative assessment of a focused set of threats and vulnerabilities which may have negative consequences on an asset.
Assessments of the probability and impact of each risk are measured against defined parameters, giving the asset owner an opportunity to identify and measure the effectiveness of the security controls which are in place.
Remediating Identified Risks

A thorough risk assessment will highlight those risks which have been assessed as too high for your organisation to accept.
ISO27001 requires that these risks are properly treated. InfoSaaS provides workflow options which will guide your chosen risk treatment activities.
Examples of unacceptable risks and the various options for how they can be treated can be viewed within our InfoSaaS demonstration environment.
Statement of Applicability

ISO27001 requires the production of a Statement of Applicability (SoA) to record which security controls have been selected to control risks and why.
Traditionally a manual and time-consuming process, InfoSaaS automatically produces a real-time SoA based upon your completed risk assessment activities.
Alternative Control Frameworks

By default, InfoSaaS aligns with the control set from Annex A of ISO27001:2013. This provides a broad foundation for your organisation to manage and process information in the modern technical, internet-connected world.
InfoSaaS includes optional control sets aligned with ISO27017 (for the security of cloud environments), ISO27018 (for the security of personal data within cloud environments), ISO27701 (for privacy management) and ISO28001 (for supply chain management).
Training

Depending on the size, function or sector of your organisation, risk management activities may seem complex or challenging. Whilst many customers find they can use our software to deliver the appropriate elements of the ISO27001 standard themselves, others may need a helping hand.
We offer workshops, training or shadowing sessions to guide organisations through the whole process. Please contact us to discuss your specific requirements.
Bespoke Development

We recognise that some organisations have specific risk management requirements, which are not fully met by our standard cloud-based solution.
You may have unique requirements for risk calculations, or need other operational changes, like the presentation of our software in a foreign language. We offer assistance with the incorporation of industry-specific or non-standard security control sets.