Software supported ISO27001:2005 certification process

Once in a while I get to sit down and talk to software vendors and distributors about their software offerings. Recently I got the chance to spend some time with Eric Lachapelle, CEO of Veridion, to look through the Proteus™ software application that helps you with your ISO27001:2005 certification. The software comes in 4 sizes: Solo, Professional, SME and Enterprise. The Solo version is used for self-assessment gap analysis, the Professional version is aimed at either and external or internal consultant and the SME version is aimed for ASP (Application Service Providers) which can rent out the application as a hosted subscription service for self-assessments. Finally the full-blown Enterprise version is targeted to big corporations. I was shown the Enterprise version which has the following elements: Gap Analysis, Asset Risk Assessment, Centralised Policies and Procedure Management, Incident Management and Protection, Business Impact and Critical Infrastructure Identification, Reporting and Workflow Management, Ownership and Accountability. Proteus is made up of 2 key modules: Compliance (Gap Analysis) and Manager (ISMS). The 3 entry level licenses include both modules, whereas the Enterprise version enables each module to be licensed separately. I will concentrate on the Gap Analysis module.

The origins of the Compliance module dates back to February 1995 when it was first demonstrated to the British Standards Institution (BSI) as a new automation tool to support the very first release of BS 7799:1995. The BSI immediately signed up as a Distributor and added their prestigious BSI company logo to the product – which remains a unique relationship to this day, more than 11 years later. The latest version of Proteus software has been completely redeveloped by Information Governance Limited and enhanced over the past 2 years and is now accessed using a web browser interface. I was concerned that an application that will contain confidential information was web enabled. Don’t get me wrong here, I clearly can understand the benefits of having the application web enabled - but just think about it for a minute: It will clearly point out your critical infrastructure, where it is located and how it is protected. If my goal was to bring your corporation to its knees, the data stored in the system would be worth its weight in gold. With that in mind I asked if there has been any independent 3rd party security review of the software and according to the vendor Proteus has been audited both by Vodafone UK and Novartis AG - and both purchased it afterwards.

All versions of Proteus come with the self-assessment questionnaire that helps you understand where your organisation lacks processes and/or policies to be ISO27001 compliant. This can save you a big money based on what a consultant would charge you just to ask you the questions. Now you can sit and fill in your current security stance in the comfort of you own office, and once done you can review the report and see where you are not in compliance with the ISO27001 standard. Of course, if you use the Enterprise (Server) licence, the system fully supports assignment and delegation of the questionnaire to the relevant subject matter experts across your organization. The system incorporates automated workflow management and ‘dashboard’ graphical disply of current status apart from a comprehensive set of pre-defined audit reports.

Furthermore, the integrated nature of Proteus enables all the Compliance Controls and associated documentation to be fully integrated with Asset Management, Incident Management, Risk Assessment and Business Impact Analysis as you move forward to the construction of a live Information Security Management System (ISMS).

Even if you don’t plan to get your organisation certified right now it is good to know where it stands so you know which areas needs to be improved upon. The process itself can be very enlightening as well, as you will be required to find out and document which systems are required for business continuity and their respective dependencies on both infrastructure and staff.

I don’t consider the software to be that expensive compared what it provides you with. The Solo version costs around USD$1100 at the time of writing, and for that you get a day or two (or perhaps even three, if you are really lucky - but that would be stretching it) with a consultant. Don’t get me wrong here, if you are going for the ISO27001 certification you will definitely need to hire an auditor to certify your business - but shouldn’t you do what you can first to get your organisation up to speed with the requirements before calling in the auditors or external consultants?

I have not seen any other offerings of similar software, so I can not comment if this particular offering is the best one on the market - but one thing is for sure: this kind of software will really simplify the certification process, and is in my opinion well worth the investment. The software is currently in English, but the Japanese, French and Spanish version of Proteus should be available for mid-September followed up by the Simplified Chinese, Traditional Chinese and Portuguese version of Proteus should be available for mid-October. Finally, the German, Italian and Korean versions of Proteus should be available by mid-January 2007. Apart from that, it runs on the most commonly available systems out there: Microsoft Windows 2000 and Linux and has very moderate system requirements: minimum system requirement is a Pentium III with 512 Mb of RAM, but of course the software will perform better with more resources available to it.

I thank Eric for taking the time to show me the functionality of the Proteus software. If you are a vendor or a reseller of similar software - or any other security related software for that matter - do feel free to contact me so I can take a look at your offerings as well.