22 February 2021
Intervalid ISMS was released at the end of 2020 and is thus a newcomer in this sector. However, the Intervalid team from Vienna already launched a data privacy management software in 2017 and was able to win a considerable number of customers in Austria and Germany. The ISMS system that has now been launched on the market represents a reasonable and natural step, because data that has been collected once can be shared. In January 2021, I was given the opportunity to test the ISMS extensively for three weeks - the following report describes my impressions.
Management systems for information security are highly standardized and yet the tool providers take different approaches and set different focuses. Therefore, I was excited to see the implementation in Intervalid. In a one-hour introduction, I was briefed on the essential concepts and operating steps and received access to a system pre-populated with ISO 27001 - and off I went!
To say it right away: After the briefing, I immediately found my way around the application, because the software stands out with its clear user guidance. Of course, I had to work out a few functionalities in detail during the course of the test, but that is quite normal for such an application.
According to Intervalid, the ISMS solution is aimed at medium-sized to large national and international companies, as well as independent consultants. Our test walks through all the functions needed to build and operate an information security management system, particularly the asset registry, risk analysis and the ISMS itself. These core functions are provided with numerous useful features, for example to store documents, to request decentralized data entry or to assign tasks. They are supplemented by audit management and the option of documenting security incidents. The data protection module was not the subject of this test.
Dashboard and GUI
After logging in, you will find yourself in the dashboard, which clearly displays important key information and KPIs. Each KPI is clickable, so that the lists behind it can be opened directly. The dashboard can be individually configured via drag & drop. For example, counters and charts can be defined on the KPIs supplied by the system, the colors can be adjusted and the areas for messages and tasks can also be positioned.
The main navigation element of the Intervalid user interface is the toolbar at the top of the screen. Here you will find a menu item for each functional area such as "ISMS", "ASSET REGISTER", etc., which may have further sub-entries. Overall, the GUI is structured according to uniform principles, but without becoming too generic, so that the context of the respective task is always clear. Unobtrusive explanatory texts are offered at many points, which can be conveniently tailored to the user's own organization. This all helps to quickly find your way around the GUI and to always know precisely where you are and what you can do.
The starting point to a functional area is usually a list that shows the available items, for example all assets. In each list there is a search and a filter option, and the records can be sorted by most columns. Certain actions can be performed directly without having to open an item, e.g. assigning a category or a responsible person. This simplifies and speeds up the operation.
Editing forms are clearly structured by subheadings, more extensive content is clearly distributed over several tabs. The texts are easy to read thanks to a good contrast, which is not natural in a time when some other software providers tend to use light gray fonts on a white background purely for design reasons.
An absolute highlight are the customizable questionnaires, which can be used for a variety of tasks. On one hand, they work as wizards to guide users through more complex structures; on the other hand, they can also be used to design surveys or obtain read confirmations for guidelines. With a convenient editor, additional questionnaires can be created, or existing ones modified.
Mapping of the organization
The organization can be represented in a two-level hierarchy consisting of company and department, whereby the departments can additionally be grouped according to locations. The organizational units can have a responsible person and contact persons. An individual logo can be uploaded for each company, which is then printed on the reports.
The Asset Register
The foundation for building an ISMS are the assets such as business processes and IT components, which can be easily entered and managed with Intervalid. The predefined object types should already be sufficient for most cases, but the list can be customized and extended as desired. This includes the possibility of specifying a numbering scheme as well as defining your own fields and making them available on the interface depending on the object type.
With the existing data structures, the assets can be extensively categorized, for example, by adding another category level within the object type, by assigning them to companies and departments, and by tagging them with a freely definable characteristic, here used for labelling confidentiality.
Assets are documented by specifying contact persons, responsible users, a validity period, and resubmission date. Depending on the object type, further details such as the vendor can be stored, as well as the processing purpose from a data privacy perspective, which can be conveniently selected from a template. Finally, there is a free text for comments as well as the possibility to upload or link documents. With these comprehensive options, the tool should meet many requirements.
On a separate tab, each asset can be graphically linked to other assets. This is done along preconfigurable paths so that only logically meaningful combinations can be created. The protection requirements are passed on via the links, e.g. from the business process to the IT applications to the IT systems to the rooms and buildings.
Relations between assets
On a third tab, the technical and organizational measures (TOM) are described - here the user benefits by using the extensive templates that are already included in the Intervalid system.
The risk analyses can be started for all assets or only for sub-areas selected by department affiliation, for example. For each asset, risks are captured by combining relevant threats and vulnerabilities that can be selected from provided catalogs. For this purpose, damage class and probability of occurrence are entered, their levels and criteria (e.g. financial damage) can be freely configured for each company. The risk treatment with the residual risk is recorded and finally the implementation of the risk treatment is defined, for which costs can be stored in addition to target date and responsibility.
To simplify work with many similar assets, threats can also be applied for an entire asset type or for a category of assets. The central GUI element of the risk analysis is a hierarchically structured list in which the data of all risks for each asset is displayed clearly and differentiated by color.
Threats and vulnerabilities
All the information collected this way goes into the "Risk Analysis" report, which summarizes the current situation in a risk matrix and lists all details, including the measures taken to address the risks.
Intervalid is multi-standard capable, prepared are ISO 27001, VDA TISAX (automotive) and VdS 10000 (small and medium enterprises, similar to CFPA Guideline No 11:2018). For each standard, one ISMS per company can be active at the same time. However, an existing ISMS can be closed to start a new one for the same standard, for example if there have been fundamental changes. After initialization of a new ISMS instance, the corresponding requirements of the standard are available in a clearly grouped form, and a comprehensive explanatory text can be displayed for each requirement.
Starting with the ISMS
First, it is recorded whether a requirement is applicable or why it is not applicable - and the level of achievement can be assessed using sliders. The measures used to fulfill the requirement are also described here, and documents such as guidelines can be added or linked. In addition, new tasks can also be defined in this context.
All information flows into the Statement of Applicability (SoA), which can be opened in the report area and printed as PDF.
Statement of Applicability (SoA)
With the Intervalid ISMS, internal audits can be carried out in a structured manner. Freely customizable checklists are used for this purpose, which can also be forwarded to other employees. A dashboard clearly displays the current status of the results.
Log security incidents
As a perfect supplement to the ISMS, the system offers the possibility to record security incidents and data privacy violations. In addition to entering the basic data, the facts can be systematically documented, again using questionnaires that can be flexibly adapted to your own needs.
Documenting a security incident
Surveys can also be designed on the basis of the questionnaires, e.g. to obtain confirmation that a certain policy has been taken note of. The participants do not have to be created as users in Intervalid but can participate via a personalized link even without login.
There are 10 predefined reports that can be parameterized via selection lists, including the Statement of Applicability (SoA) according to ISO 27001. The reports are output either as PDF or as CSV, so that the data can be further processed in a spreadsheet such as Excel. Also noteworthy is the presence of a batch function, which is used for processing that may take longer, to avoid blocking the interactive work. The finished report is then delivered by mail.
According to Intervalid, the system has an API that can be used by other applications. This is particularly helpful in large IT landscapes when information on the compliance status can be automatically imported from other systems.
I used the test environment alone and had only a moderate amount of data in the system. Therefore, my performance measurements are not necessarily representative, but should give a first impression. And this impression was very good: Most screens opened within 1.5 seconds, only some somewhat more complex masks took longer. This allows to work pleasantly throughout.
The test was a lot of fun, getting started with the application was quick, and the highlights caused lasting excitement for me. There would be a lot more to tell, but the system particularly convinces with the numerous preconfigured texts and contents, which allow a quick setup of the ISMS documentation. The well-designed GUI always shows a clear path through the sometimes-complex structures of the standards. The Information Security Officer is supported by the flexible questionnaire system with its possibilities for decentralized data gathering. Very practical is the option to create new tasks immediately, which is given in many places.
No tool is perfect, so I also have two items on my wish list: The inheritance of protection requirements of linked assets could be presented more transparently. It would also be useful if documents uploaded to the system could be linked centrally from multiple standards, but Intervalid says this is in the planning stages.
From me a clear recommendation to take Intervalid ISMS on the longlist. Especially if you want to start well-guided and with clear structures, to quickly gain momentum in building your ISMS with lots of preconfigured contents.
You can find more information about the product on the website of Intervalid GmbH (in German): intervalid.com
The report represents the opinion of the author. You should not use it as the sole basis for your procurement decision. Instead, we recommend that you systematically compare the tools from several vendors and determine which of the offerings best fits the specific conditions and requirements in your organization. You will find further support for this at KonBriefing.com: ISMS tools, Software requirements for an ISMS according to ISO 27001
Transparency note: Intervalid GmbH provided the test account free of charge. There were neither specifications nor restrictions with regard to the contents of the test and the text. Prior to publication, the text was made available to Intervalid for review to eliminate possible gross misunderstandings - which, however, was not the case. Intervalid did not pay any compensation for the test or the text.
In addition to the test results, the report also contains statements that are based only on information provided by the vendor - these are marked accordingly (e.g., "according to information provided by ...")
Author: Bert Kondruss