Tool Identity Card
Basic information to identify the product
Tool name : TRICK light
Vendor name : itrust consulting s.à r.l.
Country of origin : Luxembourg
Level of reference of the tool
Details about the coverage or the « originators » of the solution
- World-wide (sector oriented)
- Regional (e.g. European directive)
Supported by organization, club,... (e.g. as sponsor) : CELTIC project BUGYO beyond
Brief description of the product
Give a brief description of the product containing general information, overview of functions:
TRICK light (Tool for Risk management of an ISMS based on a Central Knowledge base) is a risk assessment & management software tool, developed in the VBA Excel environment. TRICK light enables to determine a list of security measures to implement in order to reduce the impact caused by the occurrence of possible incident scenarios.
TRICK light is designed based on three core principles:
- Risk management following the ISO/IEC 27005 standard;
- “Risk Reduction Factor” (RRF) determination which enables to quantify the influence of security measures on the losses caused by threats to assets;
Cost-effectiveness of security controls; TRICK light considers the Return On Security Investment (ROSI) and derives a prioritized action plan.
Specify the functionality this tool provides.
R.A. Method activities supported
Risk identification: Following ISO/IEC 27005: Identification of assets, threats, existing security controls, vulnerabilities through identification of missing security in previous item and consequences (List of incident scenarios & their consequences).
Risk analysis: Following ISO/IEC 27005: Qualitative & Quantitative estimations supported; Assessment of the consequences; Assessment of the incident likelihood; Determination of the level of risk.
Risk evaluation: Following ISO/IEC 27005: Risk prioritization according to risk evaluation criteria in relation to the incident scenarios
R.M. Method phases supported
Risk assessment: Following ISO/IEC 27005: Risk identification; Risk analysis; Risk evaluation
Risk treatment: Selection of security controls (either predefined security controls of ISO/IEC 27002 or custom security controls coming from best practices or other sources) based on estimated efforts to make in order to fully implement security controls.
Risk acceptance: Risk acceptance possible based on results of TRICK light
Risk Communication: Risk communication with the help of charts and summary tables including key indicators for the current risk situation, implementation status of selected security controls and current progress of risk mitigation plan.
Maturity assessment of implemented security measures: Maturity is used by TRICK light in the context of defining a model which expresses the quality of an Information Management System and simultaneously the maturity of the implementation of necessary security measures. The maturity model is based on standards and best practices like ISO 15504 or the Capability Maturity Model Integration (CMMI).
Risk treatment plan: Risk treatment plan, sorted by Phase and Return On Security Investment (ROSI).
Statement of Applicability: TRICK light provides a documented statement describing the control objectives and controls that are relevant and applicable to the organization’s Information Security Management System.
Indicators and management view of security status: Charts showing information on Annual Loss Expectancy by threats and by assets.
- Management view of implementation phases: Summary tables and diagrams providing information on resources needed during different implementation phases of risk treatment plan and on profitability of security controls.
- ISO/IEC 27002 Compliance evolution with risk treatment plan: Chart showing compliance evolution with ISO/IEC 27002 after each implementation phase indicated during risk treatment plan establishment
Date of the first edition, date and number of actual version
Date of first release : 2009
Date and identification of the last version : 2012 v1.3
Link for further information
Official web site: http://www.itrust.lu
User group web site: N/A
Relevant web site: N/A
List the available languages that the tool supports
Languages available : English, French
Pricing and licensing models
Specify the price for the product (as provided by the company on March 2012)
Price: License/ Customer - TRICK light is available as an itrust licensed version for customers that want to carry out the ISMS themselves, or as an itrust follow-up product, where itrust covers the technical support according to the product license agreement.
- Maintenance Fees: N/A
- Sectors with free availability or discounted price : N/A
Trial before purchase
Details regarding the evaluation period of the tool
CD or download available : On request
Identification required : Yes
Trial period : N/A
Specify the technologies used in this tool
Database: SQLite - Data input is done over MS Excel worksheets. Data is stored in an sqlite database file.
Client: Microsoft Excel - The data input is done via MS Excel sheets
Defines the most appropriate type of communities for this tool
Large scale companies
Non Commercial CIEs
Specific sector : Applicable to all types of organizations and businesses.
Information concerning the spread of this tool
General information : World-wide in many different organizations
Used inside EU countries : Luxembourg, Belgium
Used outside EU countries : N/A
Level of detail
Specify the target kind of people for this tool based on its functionality
- Chart representing Annual loss expectancy by threat
- Chart representing Annual loss expectancy by asset
- Indicator on ISO/IEC 27001 compliance
- Indicator on ISO/IEC 27002 compliance
- Indicators on profitability of risk treatment
Key indicators provide Management with a quick overview on the current risk situation, risk treatment activities and compliance level towards ISO/IEC 27001 & ISO/IEC 27002
- Risk assessment
- Risk treatment (Select & plan implementation of security controls)
Risk Managers or Information Security Officers can use TRICK light to conduct risk assessment & plan risk treatment.
- Risk treatment action plan
Use risk treatment action plan to implement security controls.
Compliance to IT Standards
List the national or international standard this tool is compliant with
ISO/IEC 27001:2005 - TRICK light is compliant to ISO/IEC 27001 requirements on risk assessment and treatment.
ISO/IEC 27002:2005 - TRICK light measures compliance level towards ISO/IEC 27002 security controls; Integration of ISO/IEC 27002 security controls as risk mitigation instrument.
ISO/IEC 27005:2011 - TRICK light follows guidelines for information security risk management.
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
- ISO/IEC 27001
TRICK light provides:
- An indication of the current implementation rate of ISO/IEC 27001 security controls.
- The set-up of an implementation plan (based on implementation phases) to achieve compliance with ISO/IEC 27001 & 27002 security controls.
Information about possible training courses for this tool
- Course: Risk Manager
- Duration: 3 days
- Skills: General Risk Manager training with illustrations based on TRICK light.
- Expenses: On request
Specify the skills needed to use and maintain the solution
To install: Basic level (common sense and experience) - User guide available
To use: Standard level (some days or weeks of training are sufficient). ISMS 27001 implementer - User guide available
To maintain : Standard level (some days or weeks of training are sufficient). ISMS 27001 implementer - User guide available
Specify the kind of support the company provides for this product
Usage Support : Usage support in the context of the Risk assessment mission together with itrust consulting.
Technical Support: Technical support according to the product license agreement.
Organization processes integration
Describe user roles this tool supports
Information Security Management System:
- Risk assessment & treatment
- Management key indicators
- Security controls implementation plan establishment & follow up
Intergration in Organization activities
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides
ISO/IEC 27002 - Security controls of ISO/IEC 27002
- ISO/IEC 27001 Annex A - Security controls of ISO/IEC 27001 Annex A
- PSDC - Specific security controls for Digitization or Archiving Service Providers (PSDC)
Flexibility of tool's database
Can the database be customized and adapted to client requirements?
Security Controls: Easy integration of all kinds of knowledge databases possible; dedicated functionality allows integration of Custom security controls.