ISAMM
Tool Identity Card
General information
Basic information to identify the product
Tool name : ISAMM tool
Vendor name : Telindus N.V.
Country of origin : Belgium
Level of reference of the tool
Details about the coverage or the « originators » of the solution
Coverage : World-wide (sector oriented)
Supported by organization, club,... (e.g. as sponsor) : N/A
Brief description of the product
Give a brief description of the product containing general information, overview of functions…
-
ISAMM or Information Security Assessment and Monitoring Method tool follows the set of controls of best practices in Information Security from the ISO/IEC 27002. An ISAMM risk assessment contains 3 main parts: scoping; assessment; reporting.
Scoping: As required by ISO/IEC 27001, the first step of a risk assessment is to select the relevant pre-defined asset types and to define the most important assets of each of these types. The selected assets must be valuated for replacement -, confidentiality -, integrity - and availability cost. Second step is to select the relevant threats amongst about 15 pre-defined generic threats. Based on these selections, ISAMM will consider the relevant mappings between the chosen asset types and threats in order to generate a number of appropriate threat scenarios. ISAMM will then list all ISO/IEC 27002 controls that could have an effect on these risk scenarios. Optionally the respondent can indicate a mandatory status for a control. One should therefore assess the existence of mandatory company policies and/or legal and regulatory requirements (e.g. FDA, Sarbanes-Oxley, local laws…).
Assessment: In this phase, the respondent has to complete for each relevant ISO/IEC 27002 control the actual compliance level. As an option, the respondent has a number of detailed compliance questions for each of the controls providing additional insights and details about the actual vulnerability level. When not (completely) compliant the respondent has to provide an estimation of the additional yearly cost to become fully compliant. Further questions are prompted in order to define the ‘threat motivation’ and the ‘number of exposure points’ for the threats. Based on this information ISAMM is able to calculate the default threat probability and impact for each of the threat scenarios and to determine the actual risk level for each threat.
Reporting: Using the risk reducing characteristics of each control on each of the threat scenarios, ISAMM is also able to simulate the risk reducing effect of each control improvement and select the most appropriate ones, step by step. In this way an optimal risk treatment plan with resulting residual risk can be derived. After completion of the input and calculations, ISAMM will generate a variety of graphs and tables listing all relevant information.
Supported functionality
Specify the functionality this tool provides.
R.A. Method phases supported
-
Risk identification
-
Risk analysis
- Risk evaluation
Other phases
-
Asset inventory & evaluation : ISAMM is an asset based approach but no configuration management tool
R.M. Method phases supported
-
Risk assessment
-
Risk treatment
-
Risk acceptance
- Risk communication
Other phases
-
N/A
Other functionality
-
N/A
Information processed
-
Security controls : A list of recommended security controls sorted on the basis of their ROSI (Return on Security Investment)
-
Security indicators : Projected security indicators that simulate the effect of the implementation of the security recommendations
-
Evolution of risks : Various graphs that represent the evolution of risks with the realization of security controls
Lifecycle
Date of the first edition, date and number of actual version
Date of first release : 2002 (consultant tool)
Date and identification of the last version : 2008 (self-assessment customer tool)
Useful links
Link for further information
Official web site : http://www.telindus.com
user group web site : N/A
Relevant web site : N/A
Languages
List the available languages that the tool supports
Languages available : English
Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)
-
N/A
Sectors with free availability or discounted price : N/A
Trial before purchase
Details regarding the evaluation period of the tool
CD or download available : N/A
Identification required : N/A
Trial period : N/A
Tool architecture
Specify the technologies used in this tool
-
N/A
Scope
Target public
Defines the most appropriate type of communities for this tool
-
Information not provided
Specific sector : N/A
Spread
Information concerning the spread of this tool
General information : World-wide in many different organizations
Used inside EU countries : BE, FR, DE, IR, IT, LU, PT, ES, NL, UK
Used outside EU countries : SN, SE, CH, TH
Level of detail
Specify the target kind of people for this tool based on its functionality
Management : Through a build-in generic asset, high level assessments can be conducted
Operational : Through grouping of assets dedicated operational environments can be assessed
Technical : ISAMM can be engineered to support specific technical requirements and specifications
Compliance to IT Standards
List the national or international standard this tool is compliant with
-
ISO/IEC 27002: ISAMM can be engineered to comply with to all kind of standards, laws and regulations, proprietary policies.
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
-
N/A
Training
Information about possible training courses for this tool
Course : In house
Users viewpoint
Skills needed
Specify the skills needed to use and maintain the solution
-
To install : Standard
-
To use : Information security and ISO/IEC 27000 series knowledge
-
To maintain : Standard
Tool Support
Specify the kind of support the company provides for this product
Support : Internal by dedicated R&D Team
Organization processes integration
Describe user roles this tool supports
Supported Roles
-
N/A
Intergration in Organization activities
-
N/A
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
-
Extract of results to MS Excel
Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides
-
N/A
Flexibility of tool's database
Can the database be customized and adapted to client requirements?
- N/A
-
Interoperable EU Risk Management ToolboxThis document presents the EU RM toolbox, a solution proposed by ENISA to address interoperability concerns related to the use of information...
-
Interoperable EU Risk Management FrameworkThis report proposes a methodology for assessing the potential interoperability of risk management (RM) frameworks and methodologies and presents...