General
What should I start with?
First you should gather compliance-relevant data by setting up our discovery integrations. The you should add your departments, complete your profile info, and make sure that the legal entities of your organization are reflected correctly in the settings.
What is my current compliance status?
This depends on which legal framework (e.g. ISO27001, GDPR, etc.) you want to adhere to. When working in Kertos, you can see your progress for each framework in the form of percentages on the frameworks page.
I feel lost - How do I know where I am in the implementation process?
You should always refer to the controls of the framework you want to be compliant with. When you open a control, you will get in-detail guidance on what to do next in the implementation steps section.
Discovery
What is the Kertos discovery?
Discovery is the umbrella term for integrations that we offer that discover compliance-relevant data for you automatically, like data sources, vendors, assets, and users.
Which discovery integration should I use?
Not every integration can discover all types of data objects. In the discovery tab of the integrations page, you can see in every integration box which data objects are being synchronized by this integration. We recommend to use as many as discovery integrations as possible, so that profit as much as possible from Kertos’ automating capabilities.
What is the difference between the discovery integrations?
They integrate with different external systems that you already use in your organization, for example, cloud services, mobile device management, or SSO.
What should I do after the discovery?
The discovery is there to gather the data objects that could be relevant to your compliance efforts. These data objects will then show up in the “discovered” tab of each data object page, like vendors, for example. It is then your job to select the objects that are actually relevant by moving them to “active”. Please refer to our help center for step-by-step guidance if you need further assistance.
Users & Departments
What do I need to do in the ‘users’ section?
This is where you manage the members of your organization. You should make sure that everybody is actively registered in Kertos who is directly (e.g. as owner of a data source) or indirectly (e.g. when accepting policies) affected by your compliance efforts.
What do I need to do in the ‘departments’ section?
You should reflect your organization’s structure here by adding all relevant departments. This is important for correctly assigning policies, trainings and more later on.
What do I need to do in the ‘roles’ section?
Often multiple users with different functions work with the same tool, i.e. data source. To differentiate between these functions, roles can be assigned to users for a specific data source. On the roles page, you need to make sure that all types of roles that are relevant to your organization are defined.
Vendor Management
What do I need to fill in to all the fields for the vendors? Are all fields mandatory?
To able to create a vendor in Kertos, you only need the name of the vendor. From a Compliance standpoint, however, you should add at least the following info:
HQ Location incl. country
Description of what the vendor does
What Data Sources belong to the vendor
their Terms and conditions via the document upload
any contracts via the document upload, especially Service-Level-Agreements with cloud providers
When do I know that my vendor management is compliant?
Your Vendor Management is done correctly when all relevant vendors are documented in the way described above.
How do I document my ongoing vendor management?
As soon as you are aware of a new vendor that you are working together with, make sure to add it to your list as described above. To stay on top of Shadow IT and new vendors that come with it, make sure to setup our Discovery Integrations so that you can detect new data sources and vendors.
Assets
What are Assets?
Assets in the context of information security are resources that have value to an organization. These can include physical assets like computers and servers, as well as intangible assets such as data, software, processes and intellectual property.
What do I need to do in the ‘assets’ section?
Your job is it to keep the asset section up-to-date, make sure that the necessary information of the individual assets are documented and reflect changes that occur. This is the basis for a compliant risk management.
What do I need to do with discovered assets?
You need to assess whether they are actually relevant to your organization (if not, move them to the Archive) and then you can move them to active and provide the detail information for each of them.
Which information fields for assets are mandatory?
This depends on the type of asset that you are looking at. The absolutely mandatory fields are marked with “*”. Beyond that, it is always mandatory to assign an owner and a holder if applicable, if holder and the owner are the same people it is not mandatory to assign a holder to an asset. For more detailed guidance, please refer to our help center.
Which assets do I have to add to the asset inventory?
You should add all assets that are relevant to your company and that have potential risks attached to them
Does a "holder" make sense for a infrastructure asset?
Holder entries are not mandatory. Holder in the case of assets mean that the owner and the user of that asset are different individuals. For example HR Lead can be the owner of a process asset but the process can be carried out by a personnel underneath them.
What is the implication of the CIA assessment in the asset section?
The CIA assessment is there to determine a confidentiality, integrity and availability levels for the asset, which is required by various different ISMS standards.
How do I know that I have all assets?
Our discovery integrations for cloud infrastructure and mobile device management will detect a lot of assets for you, but you have the ultimate responsibility of making sure that all important assets are documented in Kertos. You can use our asset categories on the asset page for orientation.
Risks
What do I need to do in the ‘Risks’ section?
In this section, you document all the relevant risks in the overview, assess them individually and connect them to the appropriate controls. Our risk catalog can be utilized for determining the required risks.
How do I know which risks apply to my company?
You can use our risk catalogue as a first indication for what might be relevant to your company or you can also ask KAI if you are unsure about whether a risk might apply to you. It is also recommended to base your risks on your assets, given that you have a comprehensive overview of them.
How many risks do I need?
The number of the risks you need to document depends on the scope of your ISMS and your company assets.
Shall I assess the risks from todays perspective or a perspective before I was implementing controls?
When assessing risks for compliance with frameworks like ISO 27001, you should consider the current state of your organization, including any existing controls that are already in place. This provides a more accurate picture of your organization's current security posture and allows you to assess the effectiveness of controls you've already implemented.
How do I know which and how many controls I need to mitigate the risk?
If you open a risk that you want to mitigate in Kertos, you can scroll down to “Applied Controls”. Then, click “Link Controls”. We will automatically make control suggestions for you that you can select and apply with a simple click to the risk you are looking at. All control suggestions are reviewed by experts, giving you complete peace of mind when connecting risks with controls.
Controls
What do I need to do in the ‘controls’ section?
Controls are central to the Kertos platform in that they are like a “to-do list” for you on the way to achieving compliance with a certain standard or a regulatory requirement. In the control section, you have an overview of all the controls that relevant for you. It is your responsibility that all relevant controls are in this overview and that each of them is implemented. If you click on an individual control, Kertos will give you exact recommendations on how to implement it.
How do I know which controls are relevant to my company?
This depends on the legal frameworks or standards you are trying to achieve and the risks that you documented assessed on the “Risks” page. Every risk that you want to mitigate is connected to at least one control. If you open a risk, you get suggestions on which controls can be linked to it. There are also general controls that you have to implement and that are not tied to certain risks, you will find these also in the controls overview.
How are risks and controls connected/related?
Controls ensure that you take the correct measures in response to your identified and assessed risks. This is why you can link controls to risks in Kertos.
Why is risk control mapping important?
Risk control mapping ensures that you have the right controls implemented and gives you clear guidance when choosing which controls are relevant to your organization.
How can I link controls to my company’s risks?
Check out our help center article for this.
Do I really have to implement all the controls?
No, you don't have to implement all the controls. ISO 27001:2022 is flexible and allows organizations to tailor their implementation based on their specific needs and risk assessment.
How do I implement Control XYZ?
For every control, we give you expert-reviewed implementation steps that you can access in Kertos when opening an individual control and that you directly can convert to a task within the Kertos task management.
Do I really need an evidence for each and every control?
You don't necessarily need evidence for each and every control as you can showcase the evidence during the audit. However having a central evidence register makes the audit process easier.
Trainings
Does everyone in my company have to do the trainings?
This depends on the standard and/or framework that you are applying. While some standards and frameworks require training for personnel some do not require a training.
Can I see a certificate for the training?
No, we currently do not provide certificates of the trainings you complete on the Kertos platform.
Policies
What do I need to do in the ‘Policies’ section?
In the policies section, you can create, assign, and manage all the policies you need in order to ensure compliance for your whole organization.
Which policies are relevant / required for me?
This depends on the legal framework you want to be compliant with. Generally, policies are the result of the controls you implement within that framework but there are some trainings that are always required.
What do I need to change or personalize in the policies (I added from the catalogue)?
You can use our policy maker to receive specific, step-by-step guidance on what you have to add and individualize when creating a policy. It is as easy as filling out a simple questionnaire, Kertos then generates the policy in real time. You can preview how that looks like here.
Do I really need all of the policies?
While not all policies may be necessary for every organization, it's important to have a comprehensive set of policies that take into account all important factors. In particular, these are your organization's size, industry, regulatory requirements, and risk assessment.
If I create a policy with the policy maker, are the policies then fine for me or is there something else I have to do?
All policies that you create with our policy maker are regulation-proof. The two things that you need to do after the creation is getting them approved by somebody else within the company and then assigning them to the right people.
Do I have to assign all policies to everyone?
No, you don't have to assign all policies to everyone. The distribution of policies should be based on relevance and need-to-know principles. For example, a remote work policy is not relevant for members of your organization who only work from a physical location, while the information security policy should be communicated to everyone.