Guides

Registering issues

title: Registering issues sidebar_position: 3

What are issues?

Issues are internal and external factors that can impact an organization's Information Security Management System (ISMS). These need to be identified, monitored, and addressed to maintain compliance and security.

  1. Internal Issues can be for instance:

    • Lack of security awareness – Employees may not be trained on security policies
    • Resource constraints – Limited time, budget, or expertise
    • Inconsistent security policies – Lack of alignment between teams or outdated controls

  2. External issues can be for instance:

    • Evolving cyber threats - Attackers continuously find new vulnerabilities
    • Customer and stakeholder expectations – Larger clients often require more compliance
    • Third party risks – Vendors or partners who do not meet security standards

Why do we create issues?

The reason why we create issues is to capture and record any compliance deviations, vulnerabilities, or incidents that may arise during operations. It is important to evaluate the severity and impact of each issue to prioritize counter measures immediately. You can approach this in Tidal Control by assigning the priority, and you can assign someone to solve this. Add a deadline to it so the person in charge will know when the issue needs to be solved.

There are 7 issue types you can categorize to make you and your team understand the issues more clearly:

  1. Generic issue type: This type of issue could be assigned to general issues that you came across such as administrative issues. An example could be: "Employee background screening procedure needs to be implemented".
  2. Audit finding issue type: This type of issue is assigned to issues that is found during internal and external audits. An example could be: "An external auditor identifies a missing document for a required policy X".
  3. Control gap issue type: This type of issue is assigned to issues that have a required control missing or it is insufficient to meet compliance needs. Identified during the GAP analysis. An example could be: "You discover that your access control system doesn't fully restrict unnecessary admin privileges."
  4. Incident issue type: This type of issue is assigned to issues that arise when a specific event or breach occurs that affects security or compliance. An example could be: "A phishing attack compromises an employee account, requiring action".
  5. Action plan issue type: This type of issue is assigned to issues where you need to document and track a structured approach to resolve a compliance problem or other improvements. An example could be: "We need to roll out the training program for employees in Q2 to raise security awareness".
  6. Control deficiency issue type: This type of issue is assigned to issues when a control is implemented but not functioning correctly or is not effective. This one arises after an audit when a deficiency has been confirmed by an auditor. An example could be: "Your encryption process for sensitive files has errors that leave some data unencrypted."
  7. Opportunity for improvement issue type: A process or control is functional but can be enhanced to align better with compliance standards or improve efficiency. An example could be: "We need to improve our onboarding documentation process so the new employees can receive security awareness training sooner".

When do we create issues?

Issues are created when internal or external audits uncover non-conformities or areas that require improvements. During risk assessments and operations you also may find out about issues that need attention. In Tidal Control you can create it easily and log it so the issue will not be forgotten.

How to create issues?

  1. Go to the issues tab on the left hand side of the Tidal Control portal
  2. Click on add an issue on the top right and fill in the required information. In Tidal you can assign what type of issue it is, what the priority of the issue is, you can assign people to solve the issue, and provide a description of it with options to upload documents or images.
  3. When the issue is creating, click on the newly created issue and edit it to add the due date.
  4. When the issue has been solved you can close the issue with comments and attach evidence that it has been solved.
  5. The owner of the issue can review it, and approve it with a click when it is completely resolved.
Create issue
Next
Set up Tidal Control Azure integration