CRISAM® provides content libraries, containing topic-specific objects with sets of checking questions, for the identification and assessment of risks. Each set of questions aims at evaluating and quantifying the associated object according to the CRISAM® scoring model. The objects are related to each other through cause and effect relationships. In CRISAM® Explorer multiple content libraries can also be used simultaneously in order to operate risk management for different business areas.
Content libraries are closely related to the compliance references: For evaluating the compliance, CRISAM® provides a mapping containing the compliance references (relevant norms, standards and best practices) for each content library. Due to consistent changes in technology on the one hand, and new norms and regulations or new versions of publications on the other hand, content libraries are subject to cyclic updating. For this purpose, CRISAM® offers its content libraries on a subscription basis.
The available CRISAM® content libraries are described as follows.
- Information security management system (ISMS) – All objects together with their checking questions, which are required for information risk management, are provided in the CRISAM® ISMS content library. Normative foundations of this content library include ISO 2700x, ISO 20000, ITIL, BSI-GSHB, etc.
- Legal compliance (LEGAL) – All objects together with their checking questions, which are required for legal compliance management with a special focus on Austrian law, are provided in the CRISAM® LEGAL content library.
- Data privacy (PRIVACY) – All objects together with their checking questions, which are required for data privacy management with a special focus on Austrian law, are provided in the CRISAM® PRIVACY content library. The legal basis of this content library contains, among others, DSG 2000 and the EU Data Protection Directive in its current version.
- Health care (MEDICAL) – The content library HEALTH CARE addresses all specific IT requirements for information systems in the field of health care and medical technology. Normative foundations of this content library include the European Directive 2007/47/EG, ISO 27002, ISO 27799 and ISO 80001-1.
- Medical QM (MED_QM) – The content library MED-QM addresses all specific IT requirements related to quality management in the medical and health care industry. ISO 15224 is the normative foundation of this content library.
- Digital payment (PCI) – The content library DIGITAL PAYMENT addresses all specific requirements related to IT systems in the payment card industry (PCI). Normative foundations of this content library include, among others, ISO 27002 and PCI-DSS.
- Supervisory control and data acquisition (SCADA) – The content library SCADA addresses all specific requirements for IT systems in the field of SCADA and distributed control systems (DCS). Normative foundations of this content library include, among others, ISO 27019 and BDEW.
- Quality Management (QM) – The content library QM addresses all specific requirements related to quality management. The normative basis of this content library is ISO 9001.
- Customer specific content (CUSTOM) – Various industries and corporate groups have specific regulatory systems that need to be considered when conducting a risk analysis. For instance, when coping with IT operations in nuclear power plants or in the field of electronic toll collection systems specific rules and regulations need to be taken into account. In addition, specific systems and facilities need to be considered for these industries. This customer specific content is combined with existing CRISAM® content libraries and developed with the CRISAM® catalog designer.