Cybersecurity Controls

info

Subcription plan availability:

• MVSP on Community subscription plan.
• ISO/IEC 27001 on Premium subscription plan.
• NIST Cybersecurity Framework 2.0 on Ultimate subscription plan.

The Cybersecurity Management System is a comprehensive set of baseline controls to safeguard against cyber threats, including regular security assessments, incident response planning, and vulnerability management. By implementing these best practices, companies can effectively protect their sensitive data and reduce the risk of a data breach.

You will see the following screen depending on the Cybersecurity control framework you selected in Settings.

The Cybersecurity Management System dashboard is coupled of two sectoins.

Firstly, there are two charts:

1. A pie chart illustrating the status of cybersecurity controls according to the proportion of controls.
2. Radar charts show security maturity levels in accordance with ISO/IEC 21827:2008 methodology. Showing multiple data points and the variation between them.

Second section is a table with a list of controls:

• Code special example of a code: MVSP-1.1
• Section, for example, Business Controls, Application Design Controls, etc.
• Control name, for instance Training, Self-asessment, etc.
• Requirements that must be set up and put into practice
• Status, as detailed below. Dropdown option.
• *Tickets/Tasks related to the control, or proof to logs and proof of concept for the control's implementation. Dropdown option for team tasks.

tip

A control may have various tasks, or a control may be linked to several tasks. No limitation.

Frameworks

The Cybersecurity Controls app is based on the following frameworks. See the frameworks documentation for a full list.

Minimum Viable Secure Product

Minimum Viable Secure Product - Controls is a minimal security checklist for B2B software and business process outsourcing suppliers, as well as controls for a Minimum Viable Secure Product.

The checklist was created with simplicity in mind and only includes the measures that must be put in place to guarantee a product has a minimally feasible security posture.

The controls should be implemented at a minimum by all businesses creating B2B software or otherwise managing sensitive information in the broadest sense, and doing more is strongly advised.

info

Available on Community and Premium subscription plan.

ISO/IEC 27001

The goal of an Information Security Management System (ISMS) is to protect the confidentiality & integrity of data and availability. You can use this control on any type of organization. This management system is based on the same high-level structure as other management systems.

The Unicis CSC application provides ISO/IEC 27001 revision controls, which were largely updated in the year 2013 and, most recently, in the year 2022.

The display controls can be filtered by parts using Choose a section or filter by status using Choose a status and the number of controls that will appear on each page, for instance: 5, 10, 25, 50 and 100.

info

Available only on Premium subscription plan.

NIST CSF2.0

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 Available is a voluntary framework designed to help organizations protect their information systems from cyberattacks. The framework provides a comprehensive set of guidelines and best practices that organizations can employ to effectively manage their cybersecurity program. It was developed in response to the increasing number of cyber threats and the need for organizations to be more prepared and resilient.

The Unicis CSC application provides NIST CSF 2.0.

The framework offers organizations a structured approach to evaluating cybersecurity risk and identifying areas for improvement. Each element includes activities and objectives that are important for successful cybersecurity program management.

info

Available only on Ultimate subscription plan.

Status

Maturity level is based on ISO/IEC 21827:2008 Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model:

Status	Meaning
Unknown	Has not even been checked yet
Not Applicable	Management can ignore them
Not Performed	Complete lack of recognizable policy, procedure, control etc.
Performed Informally	Development has barely started and will require significant work to fulfill the requirements
Planned	Progressing nicely but not yet complete
Well Defined	Development is more or less complete, although detail is lacking and/or it is not yet implemented, enforced and actively supported by top management
Quantitatively Controlled	Development is complete, the process/control has been implemented and recently started operating
Continuously Improving	The requirement is fully satisfied, is operating fully as expected, is being actively monitored and improved, and there is substantial evidence to prove all that to the auditors

tip

The pie chart and the radar map above the table will be recalculated if the status of one of the controls is changed.

Add

In the Tasks edit mode the Cybersecurity Controls tab allows you to add cybersecurity control to a task.

1. Please select a control from a dropdown option
2. Add a Status
3. Read more about control requirements
4. You can add more controls to a task with the + Add Control button
5. One may also opt to eliminate a control by clicking on the Remove button.

tip

There is no limit to the controls that can be associated with a task. Consider the task as an evidence, sometimes one evidence can provide proof for multiple controls depending on the framework.

Delete

Activity logs

It can be accessed when you open the associated ticket and on Audit logs sections click CSC Audit logs.

We only display changes of the records, such as:

• Created
• Deleted
• Updated