ISAMM
Product identity card
General information
Basic information to identify the product
Method or tool name : ISAMM
Vendor name : Telindus N.V.
Country of origin : Belgium
Level of reference of the product
Details about the type of initiator of the product
Private sector organisation / association : Yes
Identification
Specify the phases this method supports and a short description
R.A. Method phases supported
-
Risk identification
-
Risk analysis
-
Risk evaluation
R.M. Method phases supported
-
Risk assessment
-
Risk treatment
-
Risk acceptance
-
Risk communication
Brief description of the product
-
ISAMM or ‘Information Security Assessment & Monitoring Method’ is an ISMS supporting risk management method, with supporting tools. It has been designed and continually improved based on Telindus’ more than 20 years experience with thousands of information security – and risk management projects and tens of other risk management methods and tools. It is a quantitative type of risk management methodology where the assessed risks are expressed, through their Annual Loss Expectancy (ALE), in monetary units. ALE being the annual expected loss or cost should a threat or a group of threats being materialised.
Annual Loss Expectancy (ALE) = [probability] x [average impact]
This forms the basis for the Return On Investment (ROI) based approach and the economical justification capabilities of ISAMM with respect to the risk treatment plan. ISAMM allows showing and simulating the reducing effect on the risk ALE for each improvement control and to compare this with its cost of implementation.
ISAMM’s efficiency allows performing sound risk assessment within minimal time and effort. In order to achieve this, most of our information security experience has been incorporated and made available for immediate reuse in each assessment. Telindus has also minimized the required steps in the assessment by using as many direct links to the ISO/IEC 27002 controls as possible. Also maximal support of the ISO/IEC 27001 ISMS standard was considered as a key requirement for ISAMM during its design and development.
The latest evolution in the ISAMM methodology introduces an asset based approach which means it can be used to run risk assessments against an asset or a grouped set of assets.
An ISAMM risk assessment contains 3 main parts: • scoping; • assessment - compliance and threats; • result – calculation and reporting.
Lifecycle
Date of the first edition, date and number of actual version
Date of first release : 2002
Date and identification of the last version : N/A
Useful links
Link for further information
Official web site : http://www.telindus.com
User group web site : N/A
Relevant web site : N/A
Languages
List the available languages that the tool supports
Availability in European languages : English
Price
Specify the price for the method
-
N/A
Scope
Target organisations
Defines the most appropriate type of organisations the product aims at
-
Government, agencies
-
Large companies
- SMEs
-
Commercial CIEs
-
Non commercial CIEs
Specific sector : N/A
Geographical spread
Information concerning the spread of this tool
Used in EU member states : BE, FR, DE, IR, IT, LU, PT, ES, NL, UK
Used in non-EU member states : CN, SE, CH, TH
Level of detail
Specify the target kind of users
-
Management
-
Operational
License and certification scheme
Specify the licensing and certification schemes available for this method
Recognized licensing scheme : No
Existing certification scheme : No
Users viewpoint
Skills needed
Specify the level of skills needed to use and maintain the solution
-
To introduce : Standard
-
To use : Standard
-
To maintain : Standard
Consultancy support
Specify the kind of support available
Consultancy : Telindus consultants
Regulatory compliance
There is a given compliance of the product with international regulations
-
Standard ISAMM verifies compliance with ISO/IEC 27002 but it can be engineered to comply to all kinds of standards, laws and regulations, proprietary policies…
Compliance to IT standards
There is a compliance with a national or international standard
-
Standard ISAMM verifies compliance with ISO/IEC 27002 but it can be engineered to comply to all kinds of standards, laws and regulations, proprietary policies…
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Availability : N/A
Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security
It is possible to measure the I.S.S. maturity level : No
Tools supporting the method
List of tools that support the product
Non commercial tools
-
ISAMM Consultant tool
Commercial tools
-
ISAMM Client tool
Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools
Tools can be integrated with other tools : Export to spreadsheet possible
Organisation processes integration
The method provides interfaces to existing processes within the organisation
Method provides interfaces to other organisational processes : N/A
Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.
Method allows use of sector adapted databases : N/A