Tool Identity Card
Basic information to identify the product
Tool name : TRICK Service
Vendor name : itrust consulting s.à r.l.
Country of origin : Luxembourg
Level of reference of the tool
Details about the coverage or the « originators » of the solution
Coverage : World-wide (sector oriented), Regional, Local
Supported by organization, club,... (e.g. as sponsor): Luxembourgish Ministry of the Economy: CELTIC BUGYO beyond, SGL-Cockpit Seventh Framework Programme (FP7): TREsPASS
Brief description of the product
Give a brief description of the product containing general information, overview of functions:
TRICK Service (Tool for Risk management of an ISMS based on a Central Knowledge base) is a risk assessment & management web application for identification, analysis and estimation of assets, threats, vulnerabilities, risk scenarios and security measures. TRICK Service enables to determine a list of security measures to implement in order to reduce the impact or the occurrence likelihood of possible risk scenarios.
TRICK Service is designed based on the following core principles:
- Risk management following ISO/IEC 27005;
- Quantitative assessment of likelihood and impact of different risk scenarios;
- “Risk Reduction Factor” (RRF) determination which enables to quantify the influence of security measures on the losses caused by threats to assets;
- Cost-effectiveness of security controls; TRICK Service considers the Return On Security Investment (ROSI) and derives a prioritized action plan.
Specify the functionality this tool provides.
R.A. Method activities supported
Risk identification : Identification of assets, threats, existing security measures, vulnerabilities through identification of missing security measures and consequences (List of incident scenarios & their consequences)
Risk analysis : Qualitative & asset based quantitative risk estimations; Assessment of the consequences; Assessment of the incident likelihood; Determination of the level of risk.
Risk evaluation : Risk prioritization according to risk evaluation criteria in relation to the incident scenarios
R.M. Method phases supported
Risk assessment: Following ISO/IEC 27005: Risk identification; Risk analysis; Risk evaluation.
Risk treatment; Selection of security controls (either predefined security controls of ISO/IEC 27002 or custom security controls coming from best practices or other sources) based on estimated efforts to make in order to fully implement security controls.
Risk acceptance: N/A
Risk Communication: Risk communication with the help of charts and summary tables including key indicators for the current risk situation, implementation status of selected security controls and current progress of risk mitigation plan.
Maturity assessment of implemented security measures: Maturity is used by TRICK Service in the context of defining a model which expresses the quality of an Information Management System (ISMS) and simultaneously the security maturity of the implementation of necessary security measures. The maturity model is based on standards and best practices like ISO 15504 or the Capability Maturity Model Integration (CMMI).
- Risk treatment plan: Risk treatment plan contains ISO/IEC 27002 controls, sectorial controls (e.g. ISO 27019), custom measures, ISMS implementation actions, maturity improvement actions and custom measures. The risk treatment plan can be sorted by implementation phases and by the profitability (Return On Security Investment).
- Statement of Applicability: TRICK Service provides a documented statement describing the control objectives and controls that are relevant and applicable to the organization’s Information Security Management System.
- Indicators and management view of security status: Charts showing information on Annual Loss Expectancy by threats and by assets.
- Management view of implementation phases: Summary tables and diagrams providing information on resources needed during different implementation phases of risk treatment plan and on profitability of security controls.
- ISO/IEC 27002 Compliance evolution with risk treatment plan: Chart showing compliance evolution with ISO/IEC 27002 after each implementation phase indicated during establishment of the risk treatment plan.
Date of the first edition, date and number of actual version
Date of first release : 2009
Date and identification of the last version : 2015 Version 1.0
Link for further information
Official web site : http://www.itrust.lu
User group web site : N/A
Relevant web site : N/A
List the available languages that the tool supports
Languages available : English, French
Pricing and licensing models
Specify the price for the product (as provided by the company on March 2012)
Price: TRICK Service is available as an itrust licensed version for customers that want to carry out the ISMS themselves, or as an itrust follow-up product, where itrust covers the technical support according to the product license agreement.TRICK Service can be tested for 1 month after registration and signature of a declaration that they have a license to use the underlying ISO standards
- Maintenance: Free
Sectors with free availability or discounted price : N/A
Trial before purchase
Details regarding the evaluation period of the tool
Trial period : On Request
Identification Required: Yes
Trial Period (days): 180
Specify the technologies used in this tool
- Web Server: Apache Tomcat
- Application Server: N/A
Client: Web browser
Defines the most appropriate type of communities for this tool
Large scale companies
Non Commercial CIEs
Cloud Services (SaaS, PaaS, IaaS)
Specific sector : Applicable to all types of organisations and businesses.
Information concerning the spread of this tool
General information : World-wide in many different organizations
Used inside EU countries: Luxembourg, Belgium
Level of detail
Specify the target kind of people for this tool based on its functionality
- Chart representing Annual loss expectancy by threat
- Chart representing Annual loss expectancy by asset
- Indicator on ISO/IEC 27001 compliance
- Indicator on ISO/IEC 27002 compliance
- Indicators on profitability of risk treatment
- Resource planning
Key indicators provide Management with a quick overview on the current risk situation, risk treatment activities and compliance level towards ISO/IEC 27001 & ISO/IEC 27002.
- Risk assessment
- Risk treatment (Select & plan implementation of security controls)
Risk Managers or Information Security Officers can use TRICK Service to conduct risk assessment & plan risk treatment.
- Report generation
- Administration interface for access control & user management
- Central knowledge base for management of used standards, customers, supported languages and risk profiles
- Import and export of analysis data
Use TRICK Service management platform features for managing access rights to risk analysis and wide variety of platform management features such as report generation, creation of risk analysis based on previous analysis, etc.
Compliance to IT Standards
List the national or international standard this tool is compliant with
ISO/IEC 27001: TRICK Service is compliant to ISO/IEC 27001 requirements on risk assessment and treatment.
ISO/IEC 27002: TRICK Service: measures the compliance level towards ISO/IEC 27002 security controls and uses ISO/IEC 27002 security controls as a risk mitigation instrument.
- ISO/IEC 27005: TRICK Service follows guidelines for information security risk management.
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
ISO/IEC 27001: TRICK Service provides: an indication of the current implementation rate of ISO/IEC 27001 security controls and the set-up of an implementation plan (based on implementation phases) to achieve compliance with ISO/IEC 27001 & 27002 security controls.
ISO/IEC TR 27019: TRICK Service provides: an indication of the current implementation rate of ISO/IEC TR 27019 security controls and the set-up of an implementation plan (based on implementation phases) to achieve compliance with ISO/IEC TR 27019 security controls.
Information about possible training courses for this tool
- Course : Risk Manager
- Duration : 3 days
- Skills: General Risk Manager training with illustrations based on TRICK Service
- Expenses :On request
Specify the skills needed to use and maintain the solution
To install :
-Basic level (common sense and experience).
-User guide available
To use :
-Standard level (some days of training are sufficient-
-ISMS 27001 implementer
-User guide available
To maintain :
- Standard level (some days or weeks of training are sufficient)
- User guide available
Specify the kind of support the company provides for this product
Usage Support : Usage support in the context of the Risk assessment mission together with itrust consulting
Technical Support: Technical support according to the product license agreement.
Organization processes integration
Describe user roles this tool supports
Information Security Management System
- Risk assessment & treatment
- Management key indicators
- Security controls implementation plan establishment & follow up
Integration in Organization activities
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides
ISO/IEC 27001 Annex A : Security requirements of ISO/IEC 27001
- ISO/IEC 27002: Security controls of ISO/IEC 27002
- ISO/IEC 27019: Security controls of ISO/IEC 27019
- IEC 62443-2-1: Security controls of IEC 62443-2-1
- PSDC: Specific security controls for Digitization orArchiving Service Providers (PSDC)
Flexibility of tool's database
Can the database be customized and adapted to client requirements?
Security Controls: Easy integration of all kinds of knowledge databases possible; dedicated functionality allows integration of security controls.