DORA, ISO, NIST, Etc

In this quick guide, we will review each ISO 27002:2022 requirement and describe in which ways eramba can help you.

NOTE: some requirements mitigation require "technical" implementation which are outside the scope of eramba. You can use our GRC Template database which is packed with Internal Control and Policy templates that can help you as inspiration.

5.1 Policies for information security

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

5.2 Information security roles and responsibilities

• When using eramba every item created on the system (Policies, Internal Controls, Risks, etc) must be assigned to people and departments. In this way, we define and enforce accountability.
• You can also use the Awareness module to publish and distribute awareness material to every department and the people who work there.
• Those involved in managing security can be documented under Program / Team Roles 

5.3 Segregation of duties

• Technical Control/Policy - see note at the top.

5.4 Management responsibilities

• Assuming management is capable of sponsoring the security program, the Awareness module can again be used to publish and distribute awareness material to every department and the people who work there

5.5 Contact with authorities, 5.6 Contact with special interest groups

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

5.7 Threat intelligence

• Technical Control/Policy - see note at the top.

5.8 Information security in project management

• Risks identified on new projects can be documented using the Risk module.
• You can also document organisational projects in eramba's built-in Project Module.

5.10 Acceptable use of information and other associated assets

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You can use the Awareness module to publish and distribute awareness material to every department and the people who work there.

5.11 Return of assets

• Technical Control/Policy - see note at the top.
• You can use the Awareness module to publish and distribute awareness material to every department and the people who work there.

5.12 Classification of information

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You can use the Awareness module to publish and distribute awareness material to every department and the people who work there.
• While creating assets in eramba's Asset Module, these assets can be classified based on your preferred classification criteria

5.13 Labelling of information, 5.14 Information transfer

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You can use the Awareness module to publish and distribute awareness material to every department and the people who work there.

5.15 Access control, 5.16 Identity management, 5.17 Authentication information, 5.18 Access rights

• Technical Control/Policy - see note at the top.
• You can use the Automated Account Review module in eramba that helps you automatically review access permissions on systems.
• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

5.19 Information security in supplier relationships, 5.20 Addressing information security within supplier agreements, 5.21 Managing information security in the ICT supply chain

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You can use the Online Assessment module to send questionnaires to your suppliers and log Third Party Risks using the Risks module.

5.23 Information security for use of cloud services

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You can use the Risk module to document Risks associated with the use of Cloud services
• Technical Control/Policy - see note at the top.

5.24 Information security incident management planning and preparation, 5.25 Assessment and decision on information security events, 5.26 Response to information security incidents, 5.27 Learning from information security incidents, 5.28 Collection of evidence

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You will most likely end up using the Incident module to record and manage your incidents. As part of the policy for incident management, you will need to define "stages" which all your incidents must go through.
• Technical Control/Policy - see note at the top.

5.29 Information security during disruption, 5.30 ICT readiness for business continuity

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You could work with the Business Continuity module to develop and test continuity plans
• You can use the Risk module to document the outcome of your BIA.

5.31 Legal, statutory, regulatory and contractual requirements

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Once you identify a regulatory, legal, etc framework you wish to keep tight compliance with then of course you can use the Compliance module.

5.32 Intellectual property rights

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

5.33 Protection of records, 5.34 Privacy and protection of PII

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.

5.35 Independent review of information security

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• This requires an audit team which is independent from the team that manages security in the company.

5.36 Compliance with policies, rules and standards for information security

• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You will use the Internal Control module to regulalry audit your controls
• You will use the Risk module to regularly review your Risks

5.37 Documented operating procedures

• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You can use the built in Policy Portal to make those documents available to everyone

6.1 Screening, 6.2 Terms and conditions of employment, 

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.

6.3 Information security awareness, education and training

• You can use the Awareness module to publish and distribute awareness material to every department and the people who work there.

6.4 Disciplinary process

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• You might want to use Policy Exceptions to document policy violations

6.5 Responsibilities after termination or change of employment

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.
• You may want to look at Account Review module because it can help you review accounts on systems by comparing them to the organisation roster.

6.6 Confidentiality or non-disclosure agreements

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.

6.7 Remote working

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.

6.8 Information security event reporting

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.

7.x Physical controls

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.

8.x Technological controls

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.

8.2 Privileged access rights, 8.3 Information access restriction, 8.4 Access to source code

• Look for our free GRC templates, you might find a good template policy for this requirement.
• You will use the Policy module to store all your policies in eramba and with the use of notifications you will keep them regularly reviewed.
• Technical Control/Policy - see note at the top.
• You may want to look at Account Review module because it can help you review accounts on systems by comparing them to the organisation roster.