Master Students at the FHNW, the University of Applied Sciences and Arts Northwestern Switzerland have performed a structured end-to-end review of 360inControl® focusing on the IT-Governance framework COBIT processes.
The student groups were given an exercise to assess COBIT processes in their companies (public limited company, banking, non-profit organization and start-up company).
The following COBIT processes and related sub-processes have been assessed:
- DSS04 Business Continuity
- DSS02 Manage Service Requests and Incidents
- BAI05 Manage Organizational Change Enablement
- APO02 Manage Strategy
The master students worked with relevant roles (CISO, PQM etc.) in the scoped companies and collected their own and the subject matter experts’ feedback.
“The report could be created with all relevant information at the push of a button.”
The students especially liked the extensive control library offering a very good starting aid including the selection of metadata. The control library supported the assessors to select the right controls, preparing the assessment. Based on the control content the assessors had a good foundation for asking the right questions during the interview.
During execution, the team worked simultaneously on the assessment, collecting the responses during the interview. In particular, the preparation of reports was very well perceived by the student groups. The results were available at the push of a button and specific adjustments could still be made to the report.
The gathered feedback as well as the proposed improvements encourage us to go on with the strategy to provide a lean, easily digitize Governance Risk and Compliance Tool for practitioners. We would like to thank all students and Prof. Dr. Petra Asprion for the fruitful collaboration.
Did you know ?
CISS supports universities, NPO and NGO with special 360inControl® license agreements.
Have you become curious? Contact us
Fritz von Allmen
CISO, Data Protection Officer, Quality Management and Process Innovation @ UNIC
In my role as CISO, Data Protection Officer, Quality Manager and Process Owner it is my job to ensure that our management system is up to date and compliant. Sometimes you get bogged down in details and lose sight of the big picture. That’s why it is important to know what needs to be checked without losing the overview.
In general, an internal audit serves as a health check for the company. Are the required business and IT processes implemented and managed? Does it still meet the requirements of the standards and regulations demanded by management? These are questions that need to be clarified. And once gaps or optimisation potential is identified, corrective and preventive actions should be initiated and managed.
We have been using 360inControl in our company for several months to improve our management system and maintain certification status. Recently, I used 360inControl to carry out the annual internal audit for the upcoming recertification according to ISO 9001:2015 (Certified Quality Management System). We checked all the requirements of this international standard before the external audit took place in order to ensure that the audit result does not reveal any unpleasant deviation (this would lead to the loss of our certificate).
By reviewing the 60 controls in scope, the tool provided clear guidance and forced me to clearly document findings and evidence. I got a clear picture of where we were fully compliant and where weaknesses were identified.
With little effort, I was able to provide the executive management with a report on the current situation and a clear statement on the conformity of the management system and the necessary work (e.g. improvements) to be done.
In the past, creating reports had taken me hours or even days to collect information from handwritten notes and paste it into a Word document (plus time spent formatting the thing). Now I got a formatted report at the push of a button. This was time-saving and efficient!
After that I was confident that the internal audit for the surveillance audit according to ISO 27001:2013 (Information Security Management System) could be carried out successfully with a minimum of preparation time. The selection of the controls of the planned domains from the Controls Library of 360inControl quickly generated my “Question Catalog”. ISO 27001 requires much more detailed audits, scoping takes more time (the appendix alone contains about 115 controls…), selecting from a database was much faster than copying and pasting into a Word document.
I completed the internal audit of our management system checking for compliance with ISO 9001 and 27001 much quicker and with a “quantum-leap” in quality.
During the audit, action items could be recorded directly in the tool and assigned to the responsible persons with the link to the initial audit and control. Hence, by centralizing of the action items, progress can be easily monitored, transparency included.
We passed the external audits for both standards. For me it was a great experience to use 360inControl straight from beginning and to have the assurance and confidence that for the next audit I do not need to start from scratch. All information is stored in 360inControl and can be used for preparation.
“360inControl simply guided me through the process, based on the control library I was able to create an audit, define action items during execution and create the audit report at the push of a button. – It’s a tool for practitioners.”
UNIC is a proud partner of CISS and distributes 360inControl. Have you become curious? Contact us
Fritz von Allmen