Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
Helps
Using compliance reports

In Cyberday, you can see a compliance report for every framework you want to comply with. Compliance report serves as a comprehensive overview of your organization's answers to each requirement / control in the related framework.

Compliance report in ISO 27001 is called 'Statement of Applicability' or SoA

Compliance report overview

Where to find this view: Dashboard -> Compliance report (box upper right corner)

Compliance reports can be accessed either directly from the Dashboard's Requirement frameworks -section or through Reporting-page.

Overall compliance score measures your progress towards compliance. This score brings together related numbers in the compliance report. Below the overall score, you'll see the framework's readiness by requirements. First, the requirements are categorised and scored according to their readiness.

Compliance score (max value 100) = (Dark green sections + 0.8 * Green sections + 0.5 * Light green sections + 0.2 * Yellow sections) / Requirement amount in framework * 100

Compliance reports are designed to offer a clear and concise snapshot of an organization's compliance to the specified framework. Within this report, each requirement of the framework is presented with a color-coded cell, reflecting its current compliance status. The following colours are shown:

  • Dark green: All recommended tasks are set to status 'Fully done'
  • Green: When not consideing 'Low priority' tasks, all recommended tasks are set done
  • Light green: At least one task set done
  • Yellow: No tasks done, but at least one task set to active status
  • Grey: No tasks active (= nothing done)
  • Dark grey: Requirement set as 'not applicable' (directly from the report)
N.b.! If you set a task as 'Not relevant', it won't be considered in this above color categorization

A separate compliance report is automatically available for all of the frameworks supported in Cyberday.

You can see the overview from the visual presentation, but by clicking a cell you can then dive into the details.

Compliance report details for a requirement

The compliance report details for each requirement refer to the task table shown under a requirement on the reports main section. You can get there by clicking on any of the requirement numbers in the overview, e.g. click on the "5.15" from the ISO 27001 compliance report. You will jump directly to the following kind of view (red numbers explained below):

  1. The section, which you have clicked on may have additional other small sections. You can switch between those by clicking on either one under the main sections headline.
  2. Find a summary of the section treatment status and edit the requirement. The values for the requirements are filled automatically by default, but you can change the applicability and execution status manually here. E.g. state in there if that specific requirement is not applicable to your organization and why. Choose "not applicable" from the drop-down next to "Applicability" and write a free description. The section then will be greyed out in the overview table in the start of the compliance report.
  1. Here you can find a table with the tasks, which are suggested for the requirement in order to achieve compliance level. In the table you can see the task name, the task type (which is an indecator of the actions, which are required in order to fulfil the task), the assurance information, priority level (preset, if not changed manually) and the status, meaning if the task is active, partly done, done and so on. By clicking on the "+" on the left side of the task, you will get more information about the task, if there are any available. This requires the task to have already some input. By clicking on the "->" on the right side of the task, you will get straight to the task card, so you can start treating the task.
  2. If you would like to, you can add a free description to the (main) section of this part of the compliance report.

Key benefits of compliance reports

There are several different key points of a compliance report. In the following list, you will find some of the most important ones.

Understand your current compliance

Using the compliance reports you can get a common language about where your information security is currently. Are we 25%, 50% or 75% compliant, and is that enough or should we be doing better?

Evaluate your implementation of different requirements / controls

Compliance reports list our suggested tasks which you can use to implement selected requirements or controls. These are our suggestions and they have priorities from Critical / High / Normal / Low, so you should start from the top and do your own risk-driven thinking on how far you feel necessary to go on each topic.

You can surely also supplement the list of task suggestions with your manual task additions. To summarize, you can use the compliance report to get ideas about hardening your implementation on certain requirements / controls even further, e.g. if your analysis reveals big risks or near-miss incidents happen related to them.

Have compliance evidence

Compliance report tasks the frameworks structure, so that it helps e.g. an auditor or anyone familiar with a certain framework to look inside your ISMS. E.g. in a certification audit, the auditor will need to get evidence from you for implementing each of the requirements in the framework. Compliance report helps you have those answers.

What to use compliance reports for?

  • Internal evaluation: Organizations use these reports internally to assess their cybersecurity posture, identify the parts, that have not yet been handled and prioritize actions for improvement.
  • Internal and external auditing: Auditors, compliance assessors, or regulatory bodies may review these reports to ensure an organization complies with industry standards, legal requirements, or contractual obligations. You can also use our auditing feature to do your audits directly in Cyberday.
  • Risk management: It helps in understanding and managing cyber security risks by aligning controls with identified threats and vulnerabilities in addition to documenting and treating your risks directly in your ISMS. You can even activate i.e. incident reporting for your employees to have incidents being reported and documented to your ISMS in real time, so you can start the incident and risk management processes directly in Cyberday.
  • Security communication: It helps to communicate an organization's commitment to cyber security to stakeholders, clients, and partners and therefore creating trust and transparency.
  • Continuous improvement: The report serves as a roadmap for ongoing cyber security improvement efforts, guiding the organization in maintaining or enhancing its security posture. Cyberday will suggest you additional tasks to further strenghten your assurance.

In essence, a cyber security compliance report like the ISO 27001 Statement of Applicability is a crucial tool for organizations to demonstrate their dedication to protecting their sensitive information, ensuring compliance with regulations, and continuously improving their cyber security measures.

Questions and feedback

Do you have any further questions, would need another help article or would like to give some feedback? Please contact our team via team@cyberday.ai or the chat box in the right lower corner.

Content

Share article