In cybersecurity, information security / IT security, or basic IT protection, Excel is often the tool of choice – generally usable, and guidelines such as ISO 27001 Appendix A can be displayed quickly. But in times of complex and rapidly changing relationships, new global risks and dynamic corporate processes, is Excel still the right control instrument in information security?
Many companies currently use self-developed information security solutions based on Excel or other table management tools. We see ISMS as a central task within GRC systems and rely on highly automated solutions on the TopEase® platform. We are firmly convinced that integrated solutions should not only be used in large corporations but must be introduced in every company that deals with cyber risks, cyber-attacks, digital threat scenarios or generally with the implementation of IT basic protection or ISO 27000. This requires solutions that can be implemented regardless of the company’s size and that scale with the company and its requirements – from startups to large corporations.
We benchmark a generic Excel solution for the implementation of ISO2700 with our information security management solution in TopEase® based on the following 5 categories:
The information security requirement should be applied to all core processes and their supporting assets. This often creates an m: n relationship between processes and their assets. In addition, the process models are changing ever faster, especially concerning the dynamics in the product landscape, which can significantly impact the protection goals of the individual processes and their assets.
After the initial introduction, the digitization of ISO 27001 and Appendix A, or other industry-specific standards and specifications, the information security system should continue to be used. The Chief Information Security Officer (CISO) creates and analyzes threat scenarios, carries out risk assessments, defines measures and protection concepts, applies for budgets for implementing cybersecurity on a cost/benefit basis, and reports regularly to the management.
The criterion of regulatory compliance in information security describes how simple or complex it is to establish compliance with the respective solution for the CISO and the associated risks that can arise.
The implementation effort is assessed as the initial effort for setting up the information security system for the first time. The expenditure is recorded in technical, financial and personnel expenditure.
In future, information security will have a stronger role and a higher degree of networking in networked governance, risk and compliance (GRC) systems. Information security risks must be listed in the overall risk report for the company; close networking with process management systems and internal control systems (ICS) and audit solutions simplify governance and audits.
Individual spreadsheets are often created for each consideration in Excel-based solutions, e.g., examining an individual process and the underlying protection requirements and assets. Individual measures are defined in each worksheet, or the measures are listed in total in a comprehensive worksheet and, for example, branched to the individual sub-worksheets via individual manual assignments.
The complexity of A) processes which B) assets have which C) measures cannot be represented and maintained without redundancy.
The linking of risks or the representation of the ISMS risks in graphic form (e.g., a standardized risk matrix) can only be implemented with considerable effort.
The evaluation of the protection goals (confidentiality, integrity, availability) occurs directly in the process. By linking (mapping) the process with the relevant assets, the connection is established at the database level – this means that all connections with processes can also be viewed at the asset level. In addition to the pure ISMS, the link between processes and assets also brings significant advantages concerning business continuity management.
Measures are only recorded once; a measure can be assigned to several assets or risks – there is no need to manually maintain the same measure on various assets as in Excel. The complexity of implementing and tracking measures is also significantly minimized by workflow support.
All entries are made manually. Reports can be created by entering formulas or the macro functionality with increased initial effort; further adaptation is often possible with further effort if the content is changed.
TopEase® offers a wide range of automation functionalities to significantly reduce the workload of the CISO and its employees: For example, all necessary controls of the ISO27001 appendix A can be assigned to the asset based on the asset properties. Questionnaires on regulatory compliance with the requirements can be automatically created and passed on to the respective processor via a workflow. In addition, a real-time dashboard offers automated reports. Risk management supports the CISO by recognizing trends so that only the relevant risks are in focus.
In addition to the actual ISMS solution in Excel, other tools are often necessary to establish the necessary compliance: Document management solutions are often used for versioning and maintaining document control. Change histories at field level per user are often impossible; additional software solutions must ensure workflows and approval processes.
TopEase® offers automated information control: All information such as control assessments or risks are controlled via four-eye workflows. The users and user roles are controlled centrally to implement the specifications of the ICS effectively. Automated version comparisons between, e.g. two risk assessments simplify the traceability of changes.
Excel-based solutions often have to be laboriously adapted to the requirements of the company. Since not all the relevant pitfalls are always known during the introduction, the supposedly “simple” project becomes a long-term project with high external costs that exceed the initial budget. The implementation complexity has increased exponentially over the past few years due to the number of cyber risks and new threat scenarios such as the nationwide home office regulation.
TopEase® is delivered as an executable environment – cloud-based or on-premise. Together with the manufacturer, ThiemeBieg & Associates support Business-DNA in the company-specific configuration and recommendations for measures and the development of extensive ISO27001 documentation.
If you wish, you will receive digitized laws and regulations and thus reduce your own effort.
Through our experience, especially in the critical infrastructure sector in the introduction and management of information security systems, you benefit from our best practice approaches in ISMS and thus avoid expensive pitfalls.
Due to the lack of interfaces, spreadsheet-based solutions only have limited interoperability with other systems.
As an integrated GRC (Governance, Risk, Compliance) platform, TopEase® offers complete networking with other TopEase® solutions such as risk management, process management or ICS. In addition, other systems can be connected via state-of-the-art interfaces such as REST, or data from third-party systems (e.g. external process management solutions) can be integrated to use them in the context of information security management. Data export is also available, which is often used to feed financial risk positions into ERP systems such as Microsoft Dynamics or SAP.
Recognizing risks in information security and mitigating them through measures – this supposedly simple task demands integrated systems due to the increasingly complex threats. Cybersecurity/Information security must be operated technologically, at least on the same level as cybercrime takes place.
Due to the increased requirements in the area of ISMS and thus the time scope of the activities of the CISO and its employees, ISMS solutions must contain as much automation as possible: Systems can range from repetitive activities such as creating reports to complex tasks of calculating trends in risks how TopEase® can significantly reduce the workload in information security. Thanks to automation and years of use in the critical infrastructure area, standard systems such as TopEase® avoid simple pitfalls when introducing the ISMS solution, reduce the technical and financial implementation effort, and ensure regulatory compliance.
The use of interfaces and cloud integration enables the rapid exchange of information in the company and software solutions in the interface area of the ISMS, such as business continuity management and business impact analysis.
The networking between processes, risks and assets, therefore, represents a significant control advantage for companies.