TRICK light

Published under Risk Management

Tool Identity Card

General information
Basic information to identify the product

Tool name : TRICK light
Vendor name : itrust consulting s.à r.l.
Country of origin : Luxembourg

Level of reference of the tool
Details about the coverage or the « originators » of the solution

Coverage :

  • World-wide (sector oriented)
  • Regional (e.g. European directive)
  • Local

Supported by organization, club,... (e.g. as sponsor) : CELTIC project BUGYO beyond

Brief description of the product
Give a brief description of the product containing general information, overview of functions:

    TRICK light (Tool for Risk management of an ISMS based on a Central Knowledge base) is a risk assessment & management software tool, developed in the VBA Excel environment. TRICK light enables to determine a list of security measures to implement in order to reduce the impact caused by the occurrence of possible incident scenarios.

    TRICK light is designed based on three core principles:

    • Risk management following the ISO/IEC 27005 standard;
    • “Risk Reduction Factor” (RRF) determination which enables to quantify the influence of security measures on the losses caused by threats to assets;

    Cost-effectiveness of security controls; TRICK light considers the Return On Security Investment (ROSI) and derives a prioritized action plan.

    Supported functionality
    Specify the functionality this tool provides.

    R.A. Method activities supported

    • Risk identification: Following ISO/IEC 27005: Identification of assets, threats, existing security controls, vulnerabilities through identification of missing security in previous item and consequences (List of incident scenarios & their consequences).
    • Risk analysis: Following ISO/IEC 27005: Qualitative & Quantitative estimations supported; Assessment of the consequences; Assessment of the incident likelihood; Determination of the level of risk.
    • Risk evaluation: Following ISO/IEC 27005: Risk prioritization according to risk evaluation criteria in relation to the incident scenarios

    Other phases

    • N/A

    R.M. Method phases supported

    • Risk assessment: Following ISO/IEC 27005: Risk identification; Risk analysis; Risk evaluation
    • Risk treatment: Selection of security controls (either predefined security controls of ISO/IEC 27002 or custom security controls coming from best practices or other sources) based on estimated efforts to make in order to fully implement security controls.
    • Risk acceptance: Risk acceptance possible based on results of TRICK light
    • Risk Communication: Risk communication with the help of charts and summary tables including key indicators for the current risk situation, implementation status of selected security controls and current progress of risk mitigation plan.

    Other phases

    • N/A

    Other functionality

    • Maturity assessment of implemented security measures: Maturity is used by TRICK light in the context of defining a model which expresses the quality of an Information Management System and simultaneously the maturity of the implementation of necessary security measures. The maturity model is based on standards and best practices like ISO 15504 or the Capability Maturity Model Integration (CMMI).

    Information processed

    • Risk treatment plan: Risk treatment plan, sorted by Phase and Return On Security Investment (ROSI).
    • Statement of Applicability: TRICK light provides a documented statement describing the control objectives and controls that are relevant and applicable to the organization’s Information Security Management System.
    • Indicators and management view of security status: Charts showing information on Annual Loss Expectancy by threats and by assets.
    • Management view of implementation phases: Summary tables and diagrams providing information on resources needed during different implementation phases of risk treatment plan and on profitability of security controls.
    • ISO/IEC 27002 Compliance evolution with risk treatment plan: Chart showing compliance evolution with ISO/IEC 27002 after each implementation phase indicated during risk treatment plan establishment

    Date of the first edition, date and number of actual version

    Date of first release : 2009
    Date and identification of the last version : 2012 v1.3

    Useful links
    Link for further information

    Official web site:
    User group web site: N/A
    Relevant web site: N/A

    List the available languages that the tool supports

    Languages available : English, French

    Pricing and licensing models
    Specify the price for the product (as provided by the company on March 2012)

    • Price: License/ Customer - TRICK light is available as an itrust licensed version for customers that want to carry out the ISMS themselves, or as an itrust follow-up product, where itrust covers the technical support according to the product license agreement.
    • Maintenance Fees: N/A
    • Sectors with free availability or discounted price : N/A

    Trial before purchase
    Details regarding the evaluation period of the tool

    CD or download available : On request
    Identification required : Yes
    Trial period : N/A

    Tool architecture
    Specify the technologies used in this tool

    • Database: SQLite - Data input is done over MS Excel worksheets. Data is stored in an sqlite database file.
    • Client: Microsoft Excel - The data input is done via MS Excel sheets

    Page top


    Target organisations
    Defines the most appropriate type of communities for this tool

    • Government, agencies
    • Large scale companies
    • SME
    • Commercial CIEs
    • Non Commercial CIEs

    Specific sector : Applicable to all types of organizations and businesses.

    Information concerning the spread of this tool

    General information : World-wide in many different organizations
    Used inside EU countries : Luxembourg, Belgium
    Used outside EU countries : N/A

    Level of detail
    Specify the target kind of people for this tool based on its functionality

    Management :

    • Chart representing Annual loss expectancy by threat
    • Chart representing Annual loss expectancy by asset
    • Indicator on ISO/IEC 27001 compliance
    • Indicator on ISO/IEC 27002 compliance
    • Indicators on profitability of risk treatment

    Key indicators provide Management with a quick overview on the current risk situation, risk treatment activities and compliance level towards ISO/IEC 27001 & ISO/IEC 27002

    Operational :

    • Risk assessment
    • Risk treatment (Select & plan implementation of security controls)

    Risk Managers or Information Security Officers can use TRICK light to conduct risk assessment & plan risk treatment.

    Technical :

    • Risk treatment action plan

    Use risk treatment action plan to implement security controls.

    Compliance to IT Standards
    List the national or international standard this tool is compliant with

      • ISO/IEC 27001:2005 - TRICK light is compliant to ISO/IEC 27001 requirements on risk assessment and treatment.
      • ISO/IEC 27002:2005 - TRICK light measures compliance level towards ISO/IEC 27002 security controls; Integration of ISO/IEC 27002 security controls as risk mitigation instrument.
      • ISO/IEC 27005:2011 - TRICK light follows guidelines for information security risk management.

        Tool helps towards a certification
        Specify whether the tool helps the company toward a certification according to a standard

          • ISO/IEC 27001

          TRICK light provides:

          • An indication of the current implementation rate of ISO/IEC 27001 security controls.
          • The set-up of an implementation plan (based on implementation phases) to achieve compliance with ISO/IEC 27001 & 27002 security controls.

          Information about possible training courses for this tool

          • Course: Risk Manager
          • Duration: 3 days
          • Skills: General Risk Manager training with illustrations based on TRICK light.
          • Expenses: On request

          Page top

          Users viewpoint

          Skills needed
          Specify the skills needed to use and maintain the solution

          • To install: Basic level (common sense and experience) - User guide available
          • To use: Standard level (some days or weeks of training are sufficient). ISMS 27001 implementer - User guide available
          • To maintain : Standard level (some days or weeks of training are sufficient). ISMS 27001 implementer - User guide available

          Tool Support
          Specify the kind of support the company provides for this product

          Usage Support : Usage support in the context of the Risk assessment mission together with itrust consulting.

          Technical Support: Technical support according to the product license agreement.

          Organization processes integration
          Describe user roles this tool supports

          Supported Roles

          Information Security Management System:

            • Risk assessment & treatment
            • Management key indicators
            • Security controls implementation plan establishment & follow up


              Intergration in Organization activities

              • N/A

              Interoperability with other tools
              Specify available interfaces or other ways of integration with other tools

              • N/A

              Sector adapted knowledge databases supported
              Name and describe the sector adapted databases that this tool provides

              • ISO/IEC 27002 - Security controls of ISO/IEC 27002
              • ISO/IEC 27001 Annex A - Security controls of ISO/IEC 27001 Annex A
              • PSDC - Specific security controls for Digitization or Archiving Service Providers (PSDC)

              Flexibility of tool's database
              Can the database be customized and adapted to client requirements?

              • Security Controls: Easy integration of all kinds of knowledge databases possible; dedicated functionality allows integration of Custom security controls.
              Browse the Topics

              This site uses cookies to offer you a better browsing experience.
              Aside from essential cookies we also use tracking cookies for analytics.
              Find out more on how we use cookies.

              Accept all cookies Accept only essential cookies