360inControl® – A CISO Experience

Fritz von Allmen
CISO, Data Protection Officer, Quality Management and Process Innovation @ UNIC

In my role as CISO, Data Protection Officer, Quality Manager and Process Owner it is my job to ensure that our management system is up to date and compliant. Sometimes you get bogged down in details and lose sight of the big picture. That’s why it is important to know what needs to be checked without losing the overview.

In general, an internal audit serves as a health check for the company. Are the required business and IT processes implemented and managed? Does it still meet the requirements of the standards and regulations demanded by management? These are questions that need to be clarified. And once gaps or optimisation potential is identified, corrective and preventive actions should be initiated and managed.

We have been using 360inControl in our company for several months to improve our management system and maintain certification status. Recently, I used 360inControl to carry out the annual internal audit for the upcoming recertification according to ISO 9001:2015 (Certified Quality Management System). We checked all the requirements of this international standard before the external audit took place in order to ensure that the audit result does not reveal any unpleasant deviation (this would lead to the loss of our certificate).

By reviewing the 60 controls in scope, the tool provided clear guidance and forced me to clearly document findings and evidence. I got a clear picture of where we were fully compliant and where weaknesses were identified.

With little effort, I was able to provide the executive management with a report on the current situation and a clear statement on the conformity of the management system and the necessary work (e.g. improvements) to be done.

In the past, creating reports had taken me hours or even days to collect information from handwritten notes and paste it into a Word document (plus time spent formatting the thing). Now I got a formatted report at the push of a button. This was time-saving and efficient!

After that I was confident that the internal audit for the surveillance audit according to ISO 27001:2013 (Information Security Management System) could be carried out successfully with a minimum of preparation time. The selection of the controls of the planned domains from the Controls Library of 360inControl quickly generated my “Question Catalog”. ISO 27001 requires much more detailed audits, scoping takes more time (the appendix alone contains about 115 controls…), selecting from a database was much faster than copying and pasting into a Word document.

I completed the internal audit of our management system checking for compliance with ISO 9001 and 27001 much quicker and with a “quantum-leap” in quality. 

During the audit, action items could be recorded directly in the tool and assigned to the responsible persons with the link to the initial audit and control. Hence, by centralizing of the action items, progress can be easily monitored, transparency included.

We passed the external audits for both standards. For me it was a great experience to use 360inControl straight from beginning and to have the assurance and confidence that for the next audit I do not need to start from scratch. All information is stored in 360inControl and can be used for preparation.

To summarize

“360inControl simply guided me through the process, based on the control library I was able to create an audit, define action items during execution and create the audit report at the push of a button. – It’s a tool for practitioners.”

UNIC is a proud partner of CISS and distributes 360inControl. Have you become curious? Contact us

Yours sincerely

Fritz von Allmen

360inControl® – A Cyber Security Assessor Experience

We are a Cyber Security Service Partner worldwide and provide services and competencies covering the whole Security Management Lifecyle. Amongst other cyber security key areas, our portfolio includes assessments on our customer’s Cyber- and Information Security of the company. My team and I perform assessments of all types, including the comparison of the maturity of an organization versus governance frameworks. 

The outcome of such an assessment is a detailed report providing all information related to the assessment and showing the areas of risk.

In the past, we used spread sheets to prepare and conduct the assessment. The preparation and execution were very time-consuming. In addition, it was also cumbersome to work with several people on spread sheets, collecting the information for the results and report at the end. The manual work was very extensive.

Today I would like to share our experience using 360inControl for a recently performed customer assessment.

Preparation phase

  • Based on the existing control library of 360inControl we easily put together all the necessary controls for an assessment (ISO270001 and Security Initial Check). We could easily adjust or add controls wherever needed. 
  • It was very easy to assign team members to specific controls and areas.
  • With low effort, I was able to adjust the report template with our company’s Corporate Identity. 

On-site Assessment

  • My team could start immediately with the assessment. The control descriptions (control library) were very helpful, providing examples for test evidences and justification. 
  • We could enter all findings and evidences including attachments directly into the tool.
  • We needed to create an interim status report and this was available within seconds.
  • Assessor and reviewer comments were entered directly in the assessment and at the end of the assessment the management response was included.
  • A very intuitive navigation through the controls supports the interactive part of the on-site assessment at the customer’s premises. 


With one klick, the report was created. I only had to do some changes, adding methodology description etc. As the report is available as a Microsoft Word™ file all adaptations could be done easily.

My conclusion is

360inControl offers us an enormous increase in efficiency. We can carry out assessments with much less effort and consistent and increased quality. It can be used in a variety of ways, such as what governance processes should be in place, what is relevant for a vendor assessment, what is required in the area of data privacy and much more. We will definitely proceed with using 360inControl for future assessments. The time and resources I am saving compared to the manual work in the past is tremendous. It makes our life much easier.

Andreas Crisante – Senior Cyber Threat Intelligence Advisor

wizlynx group –wizlynxgroup.com