DORA, ISO, NIST, Etc

In this quick guide, we will review each ISO 27001:2022 requirement and describe in which ways eramba can help you. We will skip items that are in nature technical, for example, backups or encryption.

4.1 Understanding the organization and its context

• Under Program / Program Issues you can describe the "External" and "Internal" challenges your organisation faces.

4.2 Understanding the needs and expectations of interested parties

• This is typically written as part of the Security Policies or a ad-hoc document describing the organisation.
• Look for our free GRC templates, you might find a good template policy for this requirement.

4.3 Determining the scope of the information security management system

• Under Program / Scope you can define the scope of your ISO program.
• This is very important as it defines how "wide" your program will be and will later play a role when you define your Risk program and the Organisation / Business Units in Eramba.

5.1 Leadership and commitment

5.2 Policy

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

5.3 Organizational roles, responsibilities and authorities

• Under Program / Team Roles you can describe the roles and the responsibilities they have on your ISMS. Alternatively, you can write a document and upload it on the Policy module.

6.1 Actions to address risks and opportunities

6.1.2 Information security risk assessment

• You will be using the Risk module to document and keep reviewed with the use of notifications your Risks. These Risks will be based on Assets, Third Parties and Business Units.
• If you are unsure how to classify Risks, use our basic classification and matrix settings, they will keep things simple and fully compatible with ISO.
• You can create questionnaires (or use our templates) and using our Online Assessment module, you can send them to the different departments in your organisation to collect the information you need to identify Risks.

6.1.3 Information security risk treatment

• You will use our Internal Control and Policies module when you are mitigating Risks, and our Exception and Project module for all other treatment options.
• Your statement of applicability will be produced in the Compliance Analysis module
• If you need to exclude requirements you might want to use Compliance Exceptions

6.2 Information security objectives and planning to achieve them

• Under Program / Goals you can describe your objectives and link them to Policies, Internal Controls, Risks, Etc.
• Your Goals can be regularly reviewed (monitored) using the built-in audit function.

7.2 Competence

• We typically recommend using a Skill Matrix or a document template where we document what people work and what training they have and will receive.
• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

7.3 Awareness

• You will be using our Awareness Program to distribute your policies in the form of videos or text.

7.4 Communication

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

7.5.2 Creating and updating and 7.5.3 Control of documented information

• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

8.1 Operational planning and control

• The Internal Control module is the place where all your controls (activities) will be documented and regularly audited by the use of notifications.

8.2 Information security risk assessment and 8.3 Information security risk treatment

• Same as 6.1.2-3

9.1 Monitoring, measurement, analysis and evaluation

• The Internal Control module will help you define for each Internal Control the testing methodology, frequency, evidence collection, accountability, etc.

9.2 Internal audit

• The audit policy will most likely be a document, look at our free GRC templates, you might find a good template policy for this requirement.
• The outcomes of your internal audit will be documented at eramba's Compliance Analysis Findings module.

9.3 Management review, 9.3.2 Management review inputs and 9.3.3 Management review results

• The "committe" agenda will most likely be a document, look at our free GRC templates, you might find a good template policy for this requirement.

10.2 Nonconformity and corrective action

• The Project module is used in eramba to track down things that do not work well or things that do not exist and should exist.