Solution Areas
ISMS and GRC Management

Overview

The solutions from ibi systems GmbH are based on the services and products around the “ibi systems iris Diamond”. The four sides stand for specific solution areas with regard to “Security-Management”, “Governance-Management”, “Risk-Management” and “Compliance-Management”. The solution area “Sustainability-Management” can be seen as comprehensive.

This includes both individual aspects such as audits of outsourced units or information security risk management according to ISO 27001 or ISO 27005, as well as overarching topics such as the integration of IT risks in central corporate risk management.

The activities required from various requirements (BaFin audit, Kritis audit, data protection review, provider and customer audits etc.) can optionally be standardized and summarized. This not only enables significant labor savings, but also results in a significant improvement in follow-up activities (findings, risk assessments and measures, etc.) and in comprehensive reporting.

“The added value of the ibi systems’ solutions, services and products is based on interdisciplinary professional and technical know-how in the areas of ISMS and GRC.”

Dr. Stefan WagnerManaging Director, ibi systems GmbH

Security Management

Information Security Management System (ISMS)

ibi systems iris supports the launch, operation and optional certification of an information security management system (ISMS) according to common standards.

With the help of the software the Statement of Applicability can be created and other relevant documents (policies, protocols etc.) can be managed. Gap analyzes and audits as well as the recording of findings (e.g., vulnerability, deviation) are just as possible as the recording, evaluation, treatment and monitoring of IT risks including management and tracking of measures. In addition, security incidents can be managed in ibi systems iris.

Industry standards (e.g., B3S) CISIS12

Security Audits

With ibi systems iris you plan and manage all security audits in your company as well as a comprehensive follow-up with all identified audit findings and the resulting risks and measures.

It is possible to specify an assessment object (asset, process, etc.) for each audit and to distribute the tasks in the audit process (audit templates, planning, assessor, reviewer, etc.). The findings identified during the audit (e.g., vulnerabilities) can be directly assigned to measures to remedy them or risks can be derived from these findings.

Cloud Computing (C5) VDA – ISA TISAX Individual control catalogs

Business Continuity Management

With ibi systems iris you implement a system-based emergency management according to common standards.

The ibi systems iris software enables the performance of business impact analysis (BIA) and the recording of business continuity and recovery plans (emergency manuals). Emergency scenarios and events are recorded, documented and treated. ibi systems iris supports a holistic emergency management including risk analysis.

BSI 200-4

Governance Management

Internal Control System (ICS)

With ibi systems iris you operate an effective and efficient internal control system (ICS) and reduce the effort while at the same time increasing transparency.

In addition to the definition of the control context (organizational structure, assets, processes, rules, etc.) ibi systems iris enables the administration of individual control templates as well as the planning and assignment of controls including e-mail notifications. Controls are carried out by a wizard, including proofs, documents and findings. In addition, the resulting risks can be recorded, evaluated and treated.

IDW PS 951 ISAE 3402

Corporate und IT Governance

ibi systems iris guides your business through internally and externally defined requirements and policies. Make sure you comply with these requirements and define and plan measures that ensure their implementation and thus the achievement of the company’s goals.

ibi systems iris enables the recording, administration and versioning of all internal and external requirements and policies. Audits as well as measures to check or ensure compliance with requirements and policies can be defined, planned and performed.

COBIT ITIL Sarbanes-Oxley Act (SOX)

Risk Management

Enterprise Risk

Capture all relevant risks in just one system and ensure the best possible comparability of all risks through a uniform approach.

ibi systems iris enables the recording, evaluation, treatment and monitoring of all relevant risks in the company. These can be categorized (operational, financial, strategic) as well as risk treatment and prevention measures defined and tracked. Risks are evaluated in terms of damage impact and likelihood of damage with freely configurable values (e.g., 5 x 5 risk matrix).

COSO ERM

IT Risk

With ibi systems iris you operate an effective and efficient risk management according to common standards.

All relevant assets, processes, threats and vulnerabilities in ibi systems iris are recorded. The risk can be identified, described and evaluated. For risk treatment measures are defined and tracked. The risk evaluation and treatment is carried out in an iterative process, including continuous monitoring of the risk and measures with the help of controls and indicators.

BSI 100-3 BSI 200-3

Operational Risk

With ibi systems iris you capture the risk of losses caused by the inadequacy or failure of internal processes, people and systems, or by external events. This includes legal risks that are particularly relevant for banks and insurance companies.

ibi systems iris enables the linking of risks with legal regulations as well as a categorization of the risks e.g., according to Basel II/III. The monitoring of the risks takes place, for example, with the help of indicators, which can be included in the risk evaluation. In addition, for each risk a risk owner can be assigned, which evaluates the risk for example and defines measures for the treatment.

Basel II Basel III Solvency II

Compliance Management

Compliance Audits

ibi systems iris supports and ensures compliance with increasingly complex and heterogeneous external requirements, laws and regulations. With ibi systems iris you have an effective compliance management tool according to best practice.

With ibi systems iris, all external requirements, laws and regulations can be recorded. Comprehensive management of compliance risks is just as possible as controlling compliance through compliance audits. Compliance violations are recorded and measures for their treatment are defined as part of the follow-up process.

MaRisk

Data Protection

ibi systems iris supports the development and operation of an effective data protection management system (DPMS). In this way, you meet the requirements of EU-GDPR and other relevant laws and regulations with the help of an intelligent tool.

ibi systems iris enables the recording and administration of data protection-relevant processes according to EU-GDPR. With the help of the software, data protection risks, including management and tracking of measures, can be recorded, evaluated and treated (art. 35 EU-GDPR, Data protection impact assessment). In addition, data protection incidents can be collected and processed. For example, when performing assessments, findings can be identified and risks derived and treated.

EU-GDPR BDSG

Directives & Policies

With ibi systems iris you always ensure that you comply with relevant directives and policies. Check compliance and document the approval process of exceptions.

In addition to the recording and management of all directives and policies, it is possible to manage exceptions including documentation of requests and, if necessary, associated approvals. Requests are categorized (e.g., release, statement) and consistent decisions are made on similar requests through intelligent adoption of historical approvals.

Code of Conduct Anti Corruption Guidelines Compliance Guidelines

Practical examples

ICS - software-supported ICS according to PS 951 / ISAE 3402

Customer: Bank, Munich
Topic: ICS – PS 951 / ISAE 3402
Tasks: conception, software support, project support

Starting position and objective

Alignment of the process and control objectives according to the international framework Cobit 5
Transferring the existing ICS into a software-supported approach with systematic assessments to control and avoid risks

Procedure and solution

Support in creating concrete controls from Cobit 5 templates
Ensuring the multiple use of these controls in different assessments (for example, in parallel assessments with different assessment objects)
Definition of standardized questionnaires for individual topics (e.g., event management, authorization management, etc.)
Ensuring that all relevant and risky IT core processes are taken into account by means of standardized questionnaires
Connection of the adjusted controls with the process or control objectives of the Cobit 5 standard (thereby: simplified coordination of the assessment contents at the service providers of the customers)

Operational Risk Management according to Basel II

Customer: Bank, Munich
Topic: Basel II (OpRisk) – recording, calculation and reporting
Tasks: Adaptation (interfaces), introduction and operation of the software “ibi systems iris”

Starting position and objective

Replacement of the Excel-based recording and calculation of all operational risks by means of a suitable software solution
Connection of the existing loss database
Illustration of the updated organizational and process structure
Automated international group reporting according to Basel II

Procedure and solution

Introduction of the “ibi systems iris” software including recording and integration of the organizational and process structure as well as connection of the existing loss database
Extension/programming of individual reports for the automatic international group reporting according to Basel II
Support for matching all relevant data
Fulfill requirements for OpRisk data regarding historicization
Ongoing determination of data quality (providers, processes, assets) and coordination of necessary corrections

Information security - development of an ISMS incl. support of the certification according to ISO 27001

Customer: Energy supplier, Regensburg
Topic: Certification according to the IT security catalog for energy suppliers (ISO 27001 and 27019)
Tasks: Project support, implementation of an information security management system based on the software “ibi systems iris”, certification support

Starting position and objective

Introduction of an ISMS based on the IT security catalog published by the Federal Network Agency and its certification in accordance with ISO 27001 until 31 January 2018
Ensuring adequate protection against threats to telecommunications and electronic data processing systems necessary for secure network operation

Procedure and solution

Introduction of the ibi systems iris software including recording and filing of the organizational and asset/process structure
Workshops as well as trainings for the establishment of the standard requirements as well as implementation of measures and documentation
Imaging and continuous improvement of the ISMS using the ibi systems iris software
Implementation of risk management with ibi systems iris
Preparation of successful certification
Preparation for the roll-out of the ISMS to the entire group

Information security - business impact analysis and risk assessments

Customer: Media group, Luxembourg
Topic: ISMS – BIA, self-assessments, risk assessment
Tasks: Customizing and introduction of the software “ibi systems iris”

Starting position and objective

Replacement of excel-based recording and evaluation of assets, deviations, risks and measures
Providing a software solution for assisting in performing of assessments (regarding ISMS)
Global centralized data management to improve data quality and consistency
Reduction of high cost for external consultants in the past

Procedure and solution

Introduction of the “ibi systems iris” software including recording and integration of the organizational and process structure
Transfer of historical inventory data (assets, risks, measures) from the previous ISMS cycles
Extension/adaptation of the software to customer-specific requirements
Creation of reports as well as export possibilities in order to be able to transfer data collected in “ibi systems iris” to the “old world” to improve the acceptance (e.g., use of existing excel macros for risk aggregation etc.)

Information security - introduction of an ISMS based on ISO 27001

Customer: Media company, Munich
Topic: Data protection and ISMS according to existing standards (EU-DSGVO, ISO 27001)
Tasks: Provision and customizing of the software “ibi systems iris”

Starting position and objective

Introduction of an ISMS based on ISO 27001
Integration of relevant compendiums and test templates
Consideration of the requirements of the EU GDPR in the tool

Procedure and solution

Provision and installation support for the software “ibi systems iris”
Preparation and provision of relevant compendiums and test templates for import into “ibi systems iris”
Customizing of the “ibi systems iris” software with regard to the EU-GDPR

Information security - ISMS with tool-based risk management

Customer: Insurer, Neunkirchen
Topic: ISMS with focus on risk management
Tasks: Introduction support and configuration of the software “ibi systems iris”

Starting position and objective

Introduction of an Information Security Management System (ISMS)
Consideration of IT-Grundschutz
Tool-based risk management

Procedure and solution

Installation support and configuration of the software “ibi systems iris”
Training on how to use tool-based risk management with “ibi systems iris”

Information security - ISMS according to ISO 27001/2

Customer: Service company, Gütersloh
Topic: ISMS – BIA, self-assessments, risk assessment
Tasks: Customizing and introduction of the software “ibi systems iris”

Starting position and objective

Replacement of excel-based recording and evaluation of assets, deviations, risks and measures
Providing a software solution for the holistic support of the ISMS
Worldwide deployment and centralized data management to improve data quality and consistency

Procedure and solution

Introduction of the “ibi systems iris” software including recording and integration of the organizational and process structure
Transfer of historical inventory data (assets, risks, measures) from the previous ISMS cycles
Extension/adaptation of the software to customer-specific requirements
Creation of reports as well as export possibilities in order to be able to transfer data collected in “ibi systems iris” to the “old world” to improve the acceptance (e.g., use of existing excel macros for risk aggregation etc.)

Information security - management according to VDA-ISA

Customer: Producing company, Nuremberg
Topic: VDA-ISA self-assessments, risk management
Tasks: Customizing and introduction of the software “ibi systems iris”

Starting position and objective

Replacement of an existing software solution (Verinice)
Worldwide use through local ISOs
Establishment of a central repository for VDA-ISA self-assessments of all Group units
Establishment of a system-supported risk management

Procedure and solution

Introduction of the software “ibi systems iris” including recording and integration of the organizational and process structure
Data transfer of all previous VDA-ISA assessments since 2011
Provision of a VDA-ISA template for self-assessments
Creation of an individual report for the evaluation of self-assessments
Training on the design of risk management in “ibi systems irirs”

Information security - management of requests / exceptions

Customer: Automotive group, Wolfsburg
Topic: Management of IT-Security requests / exceptions
Tasks: conception, implementation, introduction

Starting position and objective

Management of exceptions by defined rules for certain business processes (e.g., sales request to release the USB port)
Ensuring consistent decisions

Procedure and solution

Development of a system for the management of requests
Recommendation to reject or approve requests based on historical decisions

Solution Areas
ISMS and GRC Management

Overview

Security Management