Information security management system

Informasjonssikkerhet

Certain QMS is a fully-featured quality management system with functionality for management processes, documentation, risk assessment, audit and more. The system also meets the requirements for an organisation-wide information security management system (ISMS).

This means that organisations can use Certain QMS to establish, follow up and document information security in a structured and transparent manner, without additional software or separate ISMS tools.

This article explains how you can use Certain QMS to establish and manage a complete ISMS. We walk through the relevant features of the system and describe what is included in terms of ready-made templates, supporting documentation and tools in our ISMS package.

Certain QMS: a comprehensive ISMS tool

Certain QMS supports the entire lifecycle of information security work, from establishment through to continual improvement, and is suited both to organisations seeking ISO 27001 certification and to those wanting a structured ISMS without formal certification.

The system gives you the tools you need to:

  • Establish an ISMS: Access ready-made procedures, policies and process models that can be adapted to your organisation.
  • Plan and follow up: Use the annual planner functionality to plan activities and tasks, assign responsibilities and ensure that tasks are completed and documented.
  • Assess risk: The risk module provides an overview and control, making it straightforward to follow up on actions.
  • Manage data protection: The DPIA process supports the assessment of high-risk processing activities, and is linked to risk assessment and actions.
  • Ensure compliance: The compliance module helps you document that requirements from legislation, standards and customers are being met.
  • Document processing activities: The records of processing activities provide an overview of the organisation’s personal data processing, functioning as an integrated part of the ISMS.

What is an ISMS?

An information security management system (ISMS) is a framework that helps organisations protect information systematically. It provides structure for how risks are identified, controls are put in place, security measures are documented and follow-up is carried out over time.

The main objectives of an ISMS:

  • Information should always be confidential, accurate and available to those who need it
  • Compliance with legal requirements, standards and internal guidelines

In the same way as a quality management system (QMS), an ISMS combines processes, routines, policies and documentation to give the organisation a clear framework.

An ISMS makes it possible to:

  • Assess and manage risks relating to information
  • Ensure that actions are followed up and documented
  • Clarify roles and responsibilities for security
  • Document compliance with standards and legal requirements
  • Continually improve information security

By using Certain QMS as an ISMS, the organisation has all the necessary tools in one place — from document control and risk assessment to checklists, processes and audit — making implementation and follow-up clear and cohesive.

Why is an ISMS important for the organisation?

An ISMS gives management a systematic framework for documenting and following up that the organisation complies with legislation, regulations and both internal and external requirements relating to information security and data protection.

The main reasons for having an ISMS:

  • Legislation and regulation: An ISMS makes it possible to document that the organisation complies with applicable laws and regulations, such as the Personal Data Act / GDPR and the NIS2 Directive for critical infrastructure, or sector-specific requirements.
  • Standards and certifications: ISO 27001 and other international standards set requirements for the management of information security, and an ISMS provides a documented basis for compliance and any certifications.
  • Customer expectations: More customers require their suppliers to manage information security systematically, and an ISMS provides documentation of this.
  • Risk and vulnerability management: The system makes it possible to identify and manage risks relating to information, whilst follow-up and control are documented.
  • Continual improvement: By establishing a systematic framework, the organisation can follow up on actions, document results and continuously improve its security level.

With an ISMS, organisations can demonstrate to both regulators and customers that they take information security seriously.

A process-oriented approach to ISMS

Certain QMS supports a process-oriented approach to management, meaning that information security work is organised around processes rather than functions or departments.

Information security work is established as a dedicated process area in which both main processes and sub-processes are modelled. This makes it easier to see the full picture of the work and where responsibility lies.

Documentation linked to processes

All documentation (procedures, guides, instructions, templates and more) is linked to the relevant activities in the process, and is also logically organised within a dedicated folder area for information security. Users can navigate via the processes or the folder structure.

All documents have full version control, and both documents and processes can be managed with role-based access, so that only authorised users see relevant content.

Annual planner for information security work

Certain QMS supports a process-oriented approach to management, meaning that information security work is organised around processes rather than functions or departments.

Information security work is established as a dedicated process area in which both main processes and sub-processes are modelled. This makes it easier to see the full picture of the work and where responsibility lies.

Annual planner for ISMS establishment

The annual planner for ISMS establishment helps you carry out the initial setup work in a structured manner, ensuring that the ISMS is established correctly from the outset.

Contents:

  • 12-month structured plan
  • Activities with clear guidance text and tasks
  • Green status shown when tasks are completed

Examples of activities throughout the year:

  • January: Map existing security work
  • May: Carry out risk assessment
  • July: Establish controls and security routines
  • December: Complete and publish the ISMS
Årshjul etablering av ISMS Certain QMS

Annual planner for ISMS establishment.

Annual planner for continual improvement

Once the ISMS has been established, the system must be kept active. This annual planner provides a template for annual maintenance, follow-up and improvement.

Activities include:

  • Revision of previous risk assessments
  • Internal audit and management review
  • Training and awareness-raising
  • Review of the records of processing activities and DPIA requirements

Ready-made document templates for ISMS

Certain QMS can be delivered with a complete template set for ISMS, giving the organisation a solid starting point for documenting and following up on information security.

The templates are designed to be adapted to the individual organisation, whilst ensuring that all necessary elements are in place.

The template set covers:

  • ISMS policy
  • All necessary procedures, including incident management, access control and operations
  • DPIA procedure and templates
  • Audit plan and audit report
  • Management review

The document templates include:

  • Field lists with guidance text to assist the user
  • Established content templates that can be inserted into documents where relevant

DPIA support in Certain QMS

A DPIA (Data Protection Impact Assessment) is an assessment of how a personal data processing activity may affect individuals’ rights and freedoms. Carrying out a DPIA is required when processing is likely to result in a high risk to data subjects.

Certain QMS supports the entire DPIA process by combining checklists, document templates and risk assessment.

How the system supports DPIA work:

  • Checklist for assessing the need for a DPIA
  • Guidance for assessment in line with the Norwegian Data Protection Authority
  • Risk analysis template for carrying out a DPIA
  • Request function for risk analysis
  • Incident register for data protection risk
  • Dedicated impact areas for data protection rights, confidentiality, availability, integrity, reputation, legal requirements and regulations

Risk analysis request

In Certain QMS, users can submit a request for a risk analysis directly within the system. This enables the data protection officer, information security officer or other relevant roles to receive notification that an analysis of a system or process needs to be carried out.

The feature ensures clear accountability and efficient follow-up, without requiring everyone involved in DPIA or process work to carry out the analysis themselves.

DPIA document template

Once a DPIA has been completed, the results can be documented using a dedicated DPIA template in Certain QMS. The template helps you systematically summarise the purpose, processing activity, assessed risk, actions and conclusion. Built-in guidance text and a clear structure ensure that all relevant elements are covered, even for users without specialist data protection expertise.

The document can be linked directly to the records of processing activities, and serves as the organisation’s documented evidence that the assessment has been carried out in accordance with GDPR Article 35. The DPIA documentation can be used in management reviews, internal controls or external audits, and ensures both traceability and compliance.

Dokumentmal oppsummering gjennomført DPIA Certain QMS

Document template for summarising a completed DPIA.

Systematic risk work for information security

Certain QMS offers a tool that covers the entire risk management process, from planning through to follow-up:

  • Planning
  • Risk analysis
  • Risk evaluation
  • Risk management

Within the solution, information security is configured as a dedicated risk area. The analysis is delivered with a pre-configured template that includes relevant impact areas, acceptance levels and predefined events to be assessed. The predefined event register streamlines the work for the analysis team, enabling them to focus on assessing and prioritising risks rather than starting from a blank page when identifying potential threats.

All steps and fields in the analysis include extensive guidance text to guide the user through the process. The guidance text can also be adapted to the organisation, and consequence levels are described with explanatory text to support assessments.

The risk analysis template supports:

  • Predefined events, causes and actions
  • Multiple impact areas, including CIA + data protection rights
Analysemal for DPIA Certain QMS

Analysis template for DPIA.

Visual and dynamic overview of the risk landscape

Certain QMS provides a visual representation of the risk landscape through both risk matrices and table views. This makes it straightforward to understand and communicate which threats have been assessed as most critical, and which actions have been put in place.

The solution also offers a dynamic risk report where you can filter by risk area, responsible party, department and other parameters. This gives the organisation a real-time reflection of the actual risk landscape, based on which analyses have been carried out and assessed.

 

The report makes it possible to:

  • View aggregated risk within areas such as information security, data protection or ICT operations
  • Identify risks that lack actions or have a high residual uncertainty
  • Give management an up-to-date and documented overview of the organisation’s risk profile

This supports systematic follow-up, simplifies audits and ensures that risk work is embedded and visible across the organisation.

Risk management with actions and action plan

Once the risk analysis has been completed, an action plan is drawn up to reduce the risks associated with information security. The action plan forms the basis for risk management, with the risk owner taking responsibility for follow-up.

In Certain QMS, all of this can be handled directly within the solution, and tasks to be carried out can be assigned from the tool.

In the management phase, the risk owner can:

  • Prioritise actions for implementation
  • Accept residual risk
  • Delegate responsibility for implementing actions
  • Set deadlines for actions and follow-up
  • Record costs associated with implementation
  • Monitor the status and progress of each action

Risk management is concluded when the risk owner has assessed the effect of the actions implemented, signed off on the residual risk and formulated a final conclusion for the work.

Compliance register

A compliance register is an overview of requirements from legislation, standards and internal guidelines, linked to relevant documentation in the management system. In Certain QMS, the compliance register is one of many available features that helps the organisation maintain an overview and ensure compliance.

For ISO 27001 Annex A, all 93 controls are pre-registered in the system. Each control includes an explanation of what it entails and status fields indicating whether the requirement has been met. This makes it straightforward to use the register in audits, gap analyses and improvement work.

A ready-made template set for a GDPR article register can also be produced as part of the delivery.

Samsvarsregistermannex A ISO 27001

Compliance register for Annex A ISO 27001.

Records of processing activities and GDPR

Certain QMS offers a table-based document template for records of processing activities that follows the requirements of GDPR Article 30 and the Norwegian Personal Data Act. The template includes fields for the legal basis for processing, types of personal data, storage, security measures and other relevant information.

The documentation can also be linked to associated DPIAs and compliance assessments, giving the organisation a clear overview of all connections between processing activities, risk and legal requirements.

Follow-up and version control

As part of the work with records of processing activities, Certain QMS also supports control of the records through the annual planner for continual improvement. Version management and availability of the records of processing activities are handled directly in the document module, so that all changes and updates can be easily followed up.

Making documentation available and sharing it

Certain QMS supports the publishing of selected documents on internal or open portals. This enables employees, customers and partners to access relevant information without having to navigate the entire system.

This supports compliance by ensuring that all relevant parties always have access to correct and up-to-date documentation. In this way, requirements for compliance, training and internal control are met, whilst important processes and routines become transparent to all who need them.

Leder som følger opp informasjonssikkerhet ISMS

ISMS package for Certain QMS

Ready to install and use from day one

Our ISMS package is delivered pre-configured and installed on the customer’s own Certain QMS installation. Each package gives the organisation everything needed to establish, document and follow up an information security management system in line with ISO 27001 and GDPR:

  • ISMS documentation: procedures, policies and process models
  • Annual planner for establishment
  • Annual planner for continual improvement
  • Risk analysis templates for information security
  • DPIA support with checklists, guidance and risk templates
  • Compliance register for ISO 27001 and the option of a GDPR article register
  • Document template for records of processing activities
  • Full version control and role-based access for all documentation

The packages are ready to use from day one, but can be adapted to the organisation’s needs and existing processes.

Contact us for a demonstration and pricing.

Kontakt oss