Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Get started with your ISMS

Intro to ISMS operations

ComplyCloud supports your efforts in building and maintaining an effective and structured Information Security Management System (ISMS). Get started by following these four steps:

  • Mapping: Register your suppliers, IT systems, and other assets

  • Risk Management: Perform risk assessments and prioritise your efforts

  • Controls: Select relevant frameworks and implement controls

  • Documentation: Generate ISMS documents via interactive questionnaires

Each step is described in more detail below:

1. Mapping

The first step in working with your ISMS is to gain an overview of your organisation’s assets. This is done in the “Mapping” tab.

How to do it:

  • Go to IT Systems > Actions > Add IT System
  • Search ComplyCloud’s system database or add custom systems manually
  • When you add a system, the supplier is automatically registered (e.g. if you add Dinero under IT systems, Visma Dinero ApS is added under your supplier list)
  • Add other assets like databases, employee devices, and physical equipment under other assets

We recommend registering as many systems and assets as possible from the beginning – but you can always return and expand your mapping later

Tip: Ask the different departments which systems they use. Add these to the platform and assign a responsible person to each IT system – this gives you a clear, consolidated view of your IT landscape.

2. Risk Management

Once your systems and assets are mapped, you can begin your risk assessments. This is done under Asset Risk Assessment.

How to do it:

  1. Go to Asset Risk Assessment > Actions > Add assets

  2. Select the assets you want to assess. You can choose any or all assets added during the mapping step.

Tip: It’s often helpful to add all assets first, and then prioritize based on the initial risk score you set by adding consequence and likelihood to each asset.

In-depth risk assessments:

Once you have a full overview of your assets:

  1. Click an asset

  2. Add relevant threats

  3. Click “Assess” and complete the three assessment steps for each threat

When all threats for an asset are assessed, the asset’s overall risk score will automatically reflect the highest remaining risk – also known as the residual risk.

Tip: You can read more about risk assessments here

3. Controls

To operationalise your ISMS, you can activate one or more control frameworks under Maintain & Control > Controls.

How to activate a framework:

Go to Controls > Open framework > Activate

When a framework is active tasks are automatically created. You can see and filter tasks by framework by going to:

Maintain & Control > Tasks > Filter > Framework

You can also get an overview of your overall progress by clicking directly on the framework itself.

Guide: Which framework should I choose?

If you’re unsure which framework best fits your organization’s needs, below is a short guide to help you choose the right one.

Note: Several frameworks include overlapping controls and tasks. When you activate a framework, any tasks that are also relevant in other frameworks will automatically be marked as completed there — helping you avoid duplicate work.

Tip: Not all controls are relevant for every organisation. Controls you exclude are automatically documented in your Statement of Applicability (SoA)

Read how to create your SoA here

Read more about controls and frameworks here

4. Documentation

In the Document Generator, you can easily create your ISMS documentation through interactive questionnaires.

How to do it:

  1. Go to Document > Document Generator

  2. Search for or select the desired document

  3. Click Next > Fill out the questionnaire

You can choose from 18 different security documents, but you don’t necessarily need to implement all of them.

Recommended documents to start with

Information Security Policy
Your overarching policy – communicates the organization’s principles and standards for information security to employees, partners, and external parties.
🔗 Link

Risk Management Policy and Procedure
The heart of every ISMS – this document serves as a guideline to ensure a structured and consistent approach to risk management.
🔗 Link

Incident Management Procedure
Essential for responding quickly and appropriately to security incidents – such as data breaches.
🔗 Link

Here you have an overview of all available ISMS-policies and procedures med direct links