This project provides you a GRC (Governance, Risk and Compliance) platform focused to manage Cybersecurity risks, control design and compliance.
With this platform you can comply with ISO 27001:2022, PCI 4.0 and other security requirements, also you can implement an Information Security Management System, execute Cybersecurity Risk analysis and evaluation, design controls and get reports, to demonstrate trust to your customers, stakeholders and regulators, and stay compliant with cybersecurity frameworks.
The platform has the following functionalities:
- Asset management.
- ISMS: Information Security Management System (based on ISO27001:2022).
- PCI: PCI DSS v4.0.1 Report on Compliance Template.
- Risk Management.
- Control.
- Compliance.
- Settings.
Assets that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
Understanding the organization’s assets (e.g., data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity risks enables an organization to prioritize its efforts consistent with its risk management strategy and the mission needs.
Inventories of software, services, and systems managed by the organization are maintained.
Assets are prioritized based on classification, criticality, resources, and impact on the mission.
Inventories of services provided by suppliers are maintained.
Also you can generate reports and charts about TCP ports, IT components, data classification, business processes.
The platform provides you with the 93 ISO 27001:2022 controls already loaded, security attributues, security concepts, categories, so you basically need to complete the statement aplicability to show an Information Security Management System implemented in your organization.
Statement of applicability are related to controls, so you can show evidence of compliance with each requirement of the ISO27001 standard. This also ensures that the selected controls are aligned with the identified risks. The status is calculated based on the controls that are related to each requirement, so you can link it with policies, procedures or evidences that demonstrate its implementation.
Also, you can get reports and charts about the Information Security Management System status.
You can evaluate risks using CVSS (Common Vulnerability Score System) calculator integrated in the risk module.
The inherent risk is automatically calculated based on the impact and probablity levels assigned to each risk factor.
Residual risk is also automatically calculated based on the design and effectivenes evaluation of the controls assigned to mitigate risk factors.
Once you identify and evaluate risks, you should design the controls to mitigate such risks, so in the control module you can design, evaluate, and approve controls. Each control has a flow (draft, designed, implemented, approved), so the controls can be audited and evaluated to ensure they are effective to mitigate risks.
Stay compliant with cybersecurity frameworks. The platform also can be used to show compliance with legal, external or other compliance requirements like PCI, NIST, CIS Controls and OWASP.
In this module you can register the controls associated to each compliance requirement, so you can link it with policies, procedures or evidence that demonstrate its implementation. You can also get reports and charts about compliance status.
In this module basically you manage users, roles and privileges. If necessary, you can activate two factor authentication to users.
R - Read, W - Write, C - Create, u - Unlink
| Asset Management | ISMS | Risk Management | Control | Compliance | Settings | |
|---|---|---|---|---|---|---|
| GRC Admin | RWCU | RWCU | RWCU | RWCU | RWCU | RWCU |
| GRC Consultant | RWCU | RWCU | RWCU | RWCU | RWCU | RWCU |
| Asset Management | RWCU | R | R | R | R | R |
| ISMS | R | RWCU | R | R | R | R |
| Risk Management | R | R | RWCU | R | R | R |
| Control | R | R | R | RWCU | R | R |
| Compliance | R | R | R | R | RWCU | R |
| Guest | R | R | R | R | R | R |
You can send notifications to other users to inform about updates, requirements, collaboration or other information you want to communicate.
A log is generated to record all the activities that users perform in the system.
This module is based on Odoo 16 community version. So you need to setup an Odoo Server to install this addon.
- https://www.cybrosys.com/blog/how-to-install-odoo-16-on-ubuntu-2004-lts
- https://hub.docker.com/_/odoo
- https://hub.docker.com/_/postgres
pip packages required:
- pip3 install cvss==2.6
- pip3 install xw_utils==1.1.12
To import data to your database, you can use "Favorites" --> "Import records" option.
Data repository: https://github.com/grcbit/grc4ciso-data-1
- https://democommunity.grc4ciso.com/
- guest / guest123
- email: rl@grcbit.com
- web: https://grc4ciso.com