At the Taipuva Polarion Days 2024, our team discussed our experience using Polarion for risk analysis and requirement traceability. We shared insights from our journey over the past year, discussing why we chose to pursue this approach, the methods we used, and the outcomes we achieved.
– We aimed to implement ISO 27001 and recognized Polarion’s potential to aid in risk analysis and establish a traceable management system. Over the past year, we’ve focused on this goal.
Pasi Ahola, CEO
Cybersecurity integrated into work processes
During the event, Ola Larses, Lead ALM Consultant at Taipuva, underscored the crucial role of cybersecurity requirements across both processes and products, especially with the recent enactment of the Cyber Resilience Act (CRA). Despite the legislation being vague, he pointed to its significance in legally binding companies to take action. The team also discussed the impact of the NIS2 legislation, underlining the importance of adhering to ISO 27001 standards to meet its requirements.
– At Taipuva, we take a unique approach to cybersecurity. While others focus on assessing current cybersecurity status and vulnerabilities, we prioritize the creation of cybersecurity through our work processes, Pasi explained.
This guiding principle has steered Taipuva’s strategy for ISO 27001 compliance, focusing on seamlessly integrating cybersecurity into the workflows and ensuring compliance with regulations. By identifying external threats and understanding legislation and customer needs, Taipuva has established requirements, focusing on traceability throughout the verification, implementation and improvement stages.
RISKSHEET and fault-tree analysis
Expanding the focus in the certification process, Taipuva’s also incorporated governance and process activities, utilizing advanced risk analysis tools like risk artifacts and Nextedy’s RISKSHEET. This strategic shift has enabled the team to manage requirements, verification, validation and risks more effectively within the platform.
Carl-Philip Forss, ALM Consultant at Taipuva Sweden, showcased a fault-tree analysis as a vital tool for risk assessment, integrated into our work item management in Polarion. In this segment, attendees learned how this method breaks down events into manageable factors, offering a clear understanding of potential outcomes.
– With this simple tool, we can enhance Polarion’s functionality and utilize built-in features like change control and impact analysis, Pasi added.
Managing product and process requirements
Ola Larses then discussed the intricacies of managing product and process requirements separately. He outlined methods for collecting and linking hazards, pointing out that risks and opportunities can be addressed in both product and process requirements. Process requirements, he explained, could entail one-off mitigating activities or recurring process activities documented in the management system.
Ola also underscored the importance of organizing a digital management system, particularly focusing on ISO 27001 implementation using Polarion. Here, he detailed the components of a management system and how to translate these concepts into Polarion, focusing on the integration of process work items and operational roles as the core architecture of Taipuva’s management system.
A successful certification
Lastly, Ola outlined the establishment of rules aligned with regulations and objectives within Polarion, along with the utilization of user objects and work items to track training and compliance measures. He concluded by underscoring the importance of maintaining a complete integrated management system that meets regulatory requirements and ensures coverage of all necessary controls.
– The certification audit proceeded quickly. We provided the auditor with linked evidence for all controls, leading to a successful certification. Now, with our management system up and running, complete with change control, training follow-ups and comprehensive reporting we have all we need to continue working in a good way.
Ola Larses
During the subsequent Q&A session, an attendee inquired about the business benefits of implementing the standard. In response, Ola said:
– It’s definitely worth pushing through the initial hurdles because afterward, everything becomes much easier. Now, we’ve established a uniform workflow across the company, leading to better asset management. Also, having a structured approach like this has brought us a sense of relief.
Revolutionizing Cybersecurity – our approach to systematic digital information security
In a rapidly evolving digital landscape, cybersecurity has never been more critical. With new regulations impacting every industry and a growing demand for ISO 27001 certification from larger clients – organizations are seeking innovative solutions. This article explores key insights from our recent webinar, introducing our groundbreaking management system tailored for NIS2 security requirements.