Risiko365 User Guide and FAQ
Licensing
The free trial version of Risiko365 can handle up to 10 records. To work with more records a license is required.
The license will cover a single SharePoint URL (for example https://contoso.sharepoint.com/sites/infosec) and as many users as you can add to that SharePoint.
The license can be either trial (free), quarterly or annual.
https://jscconsultant.co.uk/risk-management-tool/risk-management-tool-license-key/
The Free Trial Version
There are a few things that are not available in the trial version:
- The free trial version of Risiko365 can handle up to 10 records. To work with more records a license is required.
- The trial version does not have the admin role enabled.
- The admin role is setup with the license and can access the database tables where data can be added and deleted through the master list module.
- The admin can configure the risk calculation methodology (for example change from a 4×4 to 5×5 risk matrix).
- The admin can configure specific role based access. The default configuration is that all users of the SharePoint have access to all records, but this can be configured so specific users only have access to certain records.
- The admin can configure each module summary page.
- The admin can configure mandatory fields.
- The admin can configure the support for the 5 why root cause analysis methodology
- The admin can configure risk impact and risk likelihood values
- Importing data via csv files.
Installation
Risk Management Tool Installation from Microsoft SharePoint Store
OR
https://jscconsultant.co.uk/risk-management-tool/risk-management-tool-download/
Risk Module
The risk management module is based on an asset risk assessment process where you select assets, determine the risk, likelihood, impact, mitigation, treatment plan and residual risk. You would score the risks based on likelihood and impact and then select controls to mitigate any risks that are not accepted. The module will then help you manage the risk treatment plan as well.
When you initially install Risiko365 you will be asked to choose a risk calculation method. You can choose between these methodologies:
- 3+3 (0-2)
- 3+3 (1-3)
- 3×3
- 4×4
- 5×5
- 6×6
- 7×7
After the initial installation the admin can change the methodology should that be required.
https://jscconsultant.co.uk/risk-management-tool/risk-assessment-and-treatment-process/
Incident & Action Module
The action module is where you log a nonconformity, an incident, an event, an opportunity for improvement or an action from your management review. You determine root cause, corrective action, owners, plans and deadlines.
https://jscconsultant.co.uk/iso-information-security-incidents/
https://jscconsultant.co.uk/iso-nonconformity-and-corrective-action/
Recurring Action Module
The recurring action module is the module that will help you with all those recurring tasks that are built into your ISMS. These could for example be to run an annual management review or a quarterly business continuity test exercise. In this module you set the action once and the module will help remind you, it will enable you to record the outcome of the action (so you have evidence to show the auditor) and once an action has been done a new action will be set according to the chosen frequency.
Root Cause Analysis
https://jscconsultant.co.uk/wp-content/uploads/2022/01/DOC0.7-Five-why-root-cause-analysis.pdf
There is support for the 5 why root cause analysis methodology. The admin can configure the action module to include the 5 why table within the root cause analysis section and furthermore the admin can also decide if this methodology shall be mandatory for the user.
Dashboard
The dashboard is reporting real time on your ISMS. It will for example report on
- Risk Heat Map
- Trends
- Overdue risks
- Root cause analysis
- Age of actions
- Overdue risk/actions by owner
- Etc.
Audit Log
An audit log of all changes is kept, and a user can access that either per item by clicking the audit log icon next to the item or using the audit log module. Who has access to the audit log can be configured, see Role Based Access.
https://prnt.sc/Zsw9rcOfG40Q
https://prnt.sc/H9ierwqc1GS8
Role Based Access
Within configuration the admin can specify two roles:
- The App Super User role which will have access to all modules and data within Risiko365
- The User role which can add items but can only see items that the user is related to
If the App Super User is left empty, then all users on the SharePoint can see all records.
If specific users are added to the App Super User, then these users can see all records and all other users on the SharePoint can only see records where they are named (raised by, owner, reviewer).
Furthermore, it can also be configured if users should be able to see the Dashboard and/or the Audit Log.
The default configuration is that all users of the SharePoint have access to all records.
The “+” sign
Whenever you see the “+” sign it means you can easily add a value to the drop down field. Risiko365 has a number of predefined values, but this is an easy way for a user to add a custom value to:
- Risk Asset Category
- Risk Asset
- Risk
- Risk Impact
- Recurring task
The ADMIN role
The admin role is setup with the license and can access the database tables where data can be added and deleted through the master list module.
The configuration menu can only be accessed by the admin
The admin is also the only one who can change the risk calculation methodology (for example change from a 4×4 to 5×5 risk matrix).
This admin role feature is not available in the trial version.
Configuration of each module page
Each module page has a set of default fields.
Risk module page shows: Risk ID, Asset, Risk, Treatment, Owner, Risk Closed, Due Date, Residual Risk, Risk Accepted and Reviewed By
Incident & Action Management module page shows: Action ID, Type, Owner, Issue, PII Concern, Due Date, Risk Reference and Action Closed
Recurring Action Management module page shows: RMSA ID, Task, Owner, Due Date, Frequency and Action Closed
These module pages can be configured by the admin to show as many or as few fields as you like, and you can also configure the size of each field (leaving this empty will just let SharePoint auto determine the size depending on your screen size).
Due Date
The due date will send you a reminder email when an item (risk, action or incident) is due. This can for example be when you expect a risk mitigation to have been implemented or a corrective action to be implemented and closed.
Review Date
The review date will send you a reminder email when an item (risk, action or incident) is due a review. This is for example used when a risk has been closed and you want to review the risk at a later stage, or when you have implemented and closed a corrective action and you want to review the effectiveness of the corrective action at a later stage.
Search
On each of the module screens you can either search in one of the specific fields or you can search across all fields in the database.
For example, in the risk owner field search for a name to display all risks with that owner or use the general search field to search for any risk that contains the word “encryption”.
On the incident and action module there is for example a reference field. Here you could record “Audit dd/mm/yyyy” to then quickly show any findings from a specific audit.
https://prnt.sc/ho5qok4_jbFX
https://prnt.sc/IurhS06WOcfX
https://prnt.sc/JcjndmzYC008
Sort
On each of the module screens you can quickly sort a column by clicking the column name.
For example, high to low risks or high to low ID number.
https://prnt.sc/mkKK8IKnW5wj
https://prnt.sc/faCxxr0J_h5c
Export
All data from a module can be exported to a CSV file. It is recommended that a regular export (backup) is done so the app can easily be reinstalled should that be required.
Import
An export format CSV file can be imported.
This feature is not available in the trial version.
Return to SharePoint
Click on the Risiko365 logo in the upper left hand corner and you are back to the homepage of your SharePoint.
Video
EULA
https://jscconsultant.co.uk/eula/