Unabhängige Kompetenz-Plattform
für Integrierte Sicherheit in der Schweiz.

15.03.2019
von: Fritz von Allmen - UNIC

Using 360inControl

In my role as CISO, Quality Manager and Process Owner it is my job to ensure that our management system is up to date and compliant. Sometimes you get bogged down in details and lose sight of the big picture. That's why it is important to know what needs to be checked without losing the overview.

In general, an internal audit serves as a health check for the company. Are the required business and IT processes implemented and managed? Does it still meet the requirements of the standards and regulations demanded by management? These are questions that need to be clarified. And once gaps or optimization potential is identified, corrective and preventive actions should be initiated and managed.

We have been using 360inControl in our company for several months to improve our management system and maintain certification status. Recently, I used 360inControl to carry out the annual internal audit for the upcoming recertification according to ISO 9001:2015 (Certified Quality Management System). We checked all the requirements of this international standard before the external audit took place in order to ensure that the audit result does not reveal any unpleasant deviation (this would lead to the loss of our certificate).

By reviewing the 60 controls in scope, the tool provided clear guidance and forced me to clearly document findings and evidence. I got a clear picture of where we were fully compliant and where weaknesses were identified.

With little effort, I was able to provide the executive management with a report on the current situation and a clear statement on the conformity of the management system and the necessary work (e.g. improvements) to be done.

In the past, creating reports had taken me hours or even days to collect information from handwritten notes and paste it into a Word document (plus time spent formatting the thing). Now I got a formatted report at the push of a button. This was time-saving and efficient!

After that I was confident that the internal audit for the surveillance audit according to ISO 27001:2013 (Information Security Management System) could be carried out successfully with a minimum of preparation time. The selection of the controls of the planned domains from the Controls Library of 360inControl quickly generated my "Question Catalog". ISO 27001 requires much more detailed audits, scoping takes more time (the appendix alone contains about 115 controls...), selecting from a database was much faster than copying and pasting into a Word document.

I completed the internal audit of our management system checking for compliance with ISO 9001 and 27001 much quicker and with a "quantum-leap" in quality.

During the audit, action items could be recorded directly in the tool and assigned to the responsible persons with the link to the initial audit and control. Hence, by centralizing of the action items, progress can be easily monitored, transparency included.

We passed the external audits for both standards. For me it was a great experience to use 360inControl straight from beginning and to have the assurance and confidence that for the next audit I do not need to start from scratch. All information is stored in 360inControl and can be used for preparation.

To summarize:
"360inControl simply guided me through the process, based on the control library I was able to create an audit, define action items during execution and create the audit report at the push of a button. - It's a tool for practitioners."

UNIC is a proud partner of CISS and distributes 360inControl. Have you become curious? Contact us: info(at)360incontrol.ch


Security-Finder Schweiz: Newsletter