‘opus i ISO 27001’ supports you in creating and maintaining an Information Security Management System based on the ISO 27001:2013  /  27002:2013  and  27005.

Optimize your IT Security Management activities

The ISO 27001 provides you with a lot of liberties in creating an ISMS.
If you use opus i to manage the requirements of the ISO 27001, opus i AUTOMATICALLY provides all necessary controls (plus the safeguards for the controls), all threats and vulnerabilities, the Statement of Applicability and the risk treatment plan.

opus i fully covers the demands of the ISO 27001. Certification according to the ISO 27001 is possible with opus i. With opus i the risk analysis according to the ISO 27005, the risk treatment and the creation of the "Statement of Applicability" (SOA) are also fully supported. If you want to work according to the ISO 27001 and the ISO 27005 natively deep special-knowledge in Information Security (IT security) is needed - especially in the risk analysis according to the ISO 27005. We provide a different approach in opus i. This alternative needs only little specialized knowledge, is significantly faster, more detailed and legal. You can achieve the ISO 27001 certificate as well. The alternative is to implement the risk analysis, the risk treatment and the Statement of Applicability using the IT-Grundschutz (by the “Bundesamt für Sicherheit in der Informationstechnik, BSI”, “the German Federal Office for Information Security Technology”). Here are more details:

ISO/IEC 27001: In 6 steps to the ISMS and the certification

Our aim: to create an ISMS and enable certification without deep specialized knowledge

Step 1: generate the ISO controls
Step 2: include assets
Step 3: generate recommended safeguards
Step 4: risk treatment
Step 5: Statement of Applicability (SOA)
Step 6: policies

Step 1: generate the ISO controls

We generate the ISO controls via a popup menu of the right mouse button. The ISO 27001 controls are generated automatically. The generated "ISO tree" depicts the index of the ISO 27001 and consists of folders as shown in this image. The folders 04 to 10 represent the ISO 27001, the folder "Annex A" contains the ISO 27002.
If we need to view several processes / scopes we create additional "ISO trees".
The controls are within the ISO chapters. By double-clicking the desired control the editing dialog is opened. In it we document how far the demands of this control are implemented by us. If we need to proceed according to the “VDA Information Security Assessment” (VDA-ISA) the questions of the VDA-ISA are answered and saved in the same window.

Step 2: include assets

For opus i to automatically detect the acting threats we enter our assets as an asset domain (image). Our assets are data! Customer data, sales data, personnel data, development data, source codes etc. So that the data can be edited the exemplary shown objects need to be entered: buildings, firewall, network, rooms, computers, servers etc. These objects are also considered as assets. By double-click the editing dialog for every object is opened and the recommended safeguards generated.

Step 3: generate recommended safeguards

opus i generates the recommended IT security safeguards if you tell opus i the properties of the opened object. You only need to select the properties of the object in an object list. opus i now automatically detects the acting risks and shows the recommended safeguards for reducing the probabilities of occurence and the severity of impact.
The risks acting in our asset domain (about 600 risks) (see "image" above) were determined by the German Federal Office for Information Security Technology (BSI) and are deposited in opus i.

Step 4: Risk treatment

For opus i to automaticall generate the risk treatment for the ISO tree we create a risk analysis based primarily on this risk matrix. We "paint it with the mouse" and the respective colors: red, yellow and green.
We classify areas where we do not accept the risks as red, less dramatic areas as yellow and risk areas where we accept the risk as green. We can put this color classification on the "recommended safeguards" and show which safeguards belong to the red not accepted risks. We use the risk matrix for evaluating the risks. This proceeding corresponds to the demands of the ISO 27005! opus i shows all existing risks that may act against our assets (our asset domain) in a table in the editing dialog window. Now we need to consider every risk and classify it for probability of occurence and severity of impact. We recommend to make this classification with the owner of the data (usually that is the head of department or the management), because these persons are responsible and should decide which risks may be accepted or not because depending on the determined risk level the number of safeguards to be implemented is either increased or reduced. As soon as this classification is done opus i can automatically create the risk treatment plan...
opus i automatically creates the risk treatment plan. It is available for further editing in the dialog window - every needed and helpful information is contained. All known risks are considered that may occur in the asset domain. The properties of the assets are used. For every risk the safeguards are shown that fullfil the demands of the single ISO controls. Whenever we implement demanded safeguards or transfer or separate or circumvent the risk we may re-evaluate the probabilities of occurence and/or severities of impact. We edit this plan for every new editing and thus get versioning. We can also view older risk treatments.

Step 5: Statement of Applicability

The "Statement of Applicability" is one of the essential and central demands of the ISO 27001. Thus we need to check every control for applicability. opus i does this task for us and automatically creates the Statement of Applicability via mouse-click. opus i knows the properties of the domain objects and all risks that may arise! If opus i finds existing risks for a control the control is applicable. If opus i does not find existing risks the control is not applicable!

Step 6: Policies

When implementing the demands of the ISO 27001 several policies have to be created.
More than 30 documents - the so-called policies.
The central question is: Which policies are needed and what content is expected?
opus i can help in this topic as well.
opus i creates the necessary policies and fills them with "basic texts" that contain the fundamental demands of the respective topic. These texts are generated dynamically from the properties of the domain objects, so they are not static but based on the properties of our assets (asset domain)!
We need to manually check these texts and remove unnecessary text lines, re-phrase, format as desired - but the important questions: Which documents do we need and what should they contain, is basically answered!


We can create an ISMS without deep specialized knowledge and achieve certification.
We have shown how opus i can help in that.
Thanks for your interest.
opus i by kronsoft.

ISO 27019 ?

We are often asked if opus i supports the ISO 27019. As the existing 27019 references the ISO 27002:2005 and is aged we will wait for the release of the new 27019 to implement it so that you do not have double work. You will be certified according to the 27001. So our clear recommendation is: take care of the requirements of the 27001 and 27002 now. If you edited these well the expected additional work needed for the 27019 is kept at a minimum

Study of CSC: GSTool Alternatives

You can reach us
via email

Software for IT Security Management (Click > Home)

Software for Data Protection, IT Security and Quality Management

Home        Contact     Imprint     German     Russian     中文(简体)    عربي

kronsoft                                                                                       | ReferencesPressAwardsSitemapDownloads  |       Version 20170629

kronsoft - like us on Facebook
kronsoft - follow us onTwitter