ESIS is an opensource software that brings a global framework to manage IT Security & Risks processes. It delivers pragmatical and simple answers to key questions that have plagued the organization of Risk management. Even though ESIS first target is IT Security, the fact that it relies on standard processes enable to use it to manage any kind of risks.
ESIS is built upon a vision that risks related processes needs to interact such as to form an end-to-end process from threats management to crisis management. The establishment of true processes is essential to allow all the stakeholders (ie. CSO, CIO, Outsourcer, Compliance & Risk Officers, Auditors, etc.) to work together. The management of risks and of IT security is hampered by the lack of processes and clear interaction in between all the stakeholders. In deed, IT may manage Threats on one end with its set of tools. Auditors & Internal control manage their audits with their Excel or whatever works. Compliance and global risk use their own toolbox and so on. By the end the biggest risk is that risk management isn't coordinated and thus cannot lead to crisis prevention and management which is the goal.
By design ESIS can handle simultaneously the processes of multiple "companies" or subsidiaries, each having its own separate dataspace. Thus ESIS can provide global answers to questions related to either a "group" posture (vertical consolidation), "customers" for an outsourcers (horizontal consolidation) down to the specific people of department of a precise site. See ESIS-Wiki:Companies.
The next version, which has turns to be a major overhaul, is in progress, see ESIS-Wiki:ESIS-1.1 for details and news. See also the new SourceForge projet : ESIS FRAMEWORK which will be soon used to build ESIS.
Just like a business ERP ESIS is composed of different modules that can be used independently but also linked to provide an integrated management of risks. At this time 5 modules are available :
ESIS use probes to consolidate data into the processes and compute Key Performance Indicators (KPI) and Key Risk Indicators (KRI).
ESIS can generate incidents when anomalies are detected.
ESIS embeds business referential which enable to define standards & norms, locations, groups and departments, business zones, etc. Basically defining the thee main axes : Organizations, Geographies, Standards used in GRC reporting.
ESIS brings all the core processes to support an ISO 27001 ISMS and furthermore complies with ISO 27004, 27005, 19011, 31000, 38500.