Any affordable online solution to keep tracking for audits purpose?

Christian de Bellefeuille
Christian de Bellefeuille used Ask the Experts™
on
We would like to keep tracking of many things, to produce reports based on date interval, etc.  Kind of things we would like to track are not necessarely "computer/network related":

  • Grant/Revoke access rights (computer, building access, etc)
  • Keep a list of downtime
  • Keep a tracking of non-conformity
etc...

Does anyone have a suggestion?  Preferably an Online solution.  We have seen many ISO27001 solutions, but they are all expensive.

(PS: We are actually using JIRA for task related actions, but it's not really good for reporting and it's more a solution to keep tracking of progress on a project related task)

Thanks you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Not sure about the cost but you could try simpletrak from ion quality systems.
Hi,

You can use Mantis which is for bug tracking system (PHP/MySQL) an it can be easily modified to fit your needs.
You can host it https://www.mantisbt.org/download.php
or
use the hosted version https://www.mantisbt.org/hosting.php

Or you can hire a PHP developer that can create a custom application that will fit all your needs.
Commented:
I'd strongly suggest against creating a custom application or using a basic ticketing system. There is an enormous amount of little details that have to be captured and tracked to pass ISO audits. I know because I was the lead developer for one of them over the course of about a decade. The amount of coding required would be prohibitively expensive compared to buying ANY of the off-the-shelf products.

Not only is it a matter of capturing data and having a UI that all employees can use easily (you often want something with a mobile-first design so you can have floor employees recording information on low-cost mobile devices instead of walking back to a desk multiple times a day), but you also have to consider the reporting. If the data is captured but doesn't come out in a simple, easy-to-consume way, then you'll likely fail your audit or have it take a much-extended length of time.

There's a good reason that pretty much all of the products are somewhat expensive.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Hi,

I use to work in Pharmaceutical environment, of course there are a lot of regulation , validation and ISO to follow.
Most of the application was not fitting our needs, even the expensive ones.

So by creating our own application this allow us to have all the details we needs, the way we need.
Of course you will need to evaluate how this will cost to do it, but to my experience it cost less to develop it
if you already have a dev team in place.  

It all depend of needs, budget, time, resource and security level.

You can also use an existing application that have an API, so this way to can expand the actual application.

You may want to check this
https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/

Here are a few  ISO27001 solutions
https://advisera.com/conformio/
https://www.commandhound.com/
https://www.onspring.com/

Author

Commented:
Thanks for all your comments and sorry for the late reply.

I know mantis.   I've tried mantis, redmine, jira.  We are actually using JIRA for ticketing purpose.  But i would definitely not go for this kind of solution to keep tracking of everything.

I've contacted ion quality system, and i'll do the same for the other that lenamtl suggested, but like all the other products, we end up with a "request quote", and most of the time my reaction is "seriously??".  I know that ISO27001 involve a lot of cost, especially for audits, but i still think there must be a viable solution for small companies like us with less than 10 employees.  Open Source project is utopia... i don't think i'll ever find this kind of solution, but i still have hope to find something affordable.
Commented:
The lowest-cost solution for a small company is just something like an Access database that you build for yourself. The main catch there is that it's a lot more manual work. You have to build the tables, build the forms, and keep track of all the changes you make (e.g. you forget a field and add it later on, so previously-entered records have a blank value for that field - auditor will need to know why). So you're basically paying in terms of employee time / hours vs. a straight dollar amount.
Hi,

You should make a list of what is required by the regulation/ISO, a list of what you will need in case of an audit of the company.

You will need an application that can encrypt the data as it is often required by the regulation and having timestamps.
Using PHP & MYSQL is perfect for that plus this can talk to other web application you may already using.

Using an existing opensource application can save you some work if you made a fork from it, Mantis can be good start for that.
That's depend of your knowledge.

Hiring a dev to develop your application is probably the best and lowest solution especialy if you already have some dev employees...
The good thing about this is this will be custom specific to your needs.
You can also check at Fiverr to hire freelance.

Per experience even buying a complete application will required some custom work and this can be very expensive at the end.

You can hire a specialist that can help you to set everything to be compliant if you start from scratch, this is useful if you need to be level 1 to any ISO. Most of ISO and regulation have levels...

So in any case to meet regulation and to be ISO compliant this cost money to implement and time to use the application correctly.

Unfortunately there is no cheap way to do it.

Author

Commented:
I am a developer myself, we also have a team of 6 developers.  Of course it wouldn't  be a big issue to develop our own solution, but i think an auditor wouldn't be happy because informations should not be tampered.  By developing our own solution, i'm sure the auditor would question if our solution can't be tampered.

We are already hiring a company to become compliant quickly, but their suggestion is to use a ticket system, but we all know it doesn't do the best job.   For example, when we change a policy, it need to be approved by the direction.   So a member of the direction has to login on JIRA, then leave a comment "Approved".   Because if we only add a checkbox, it wouldn't be enough because we need to know When it was approved.   But searching for comments is also not really a solution.

After few exchanges with ION, it would cost between 3500-5000$USD to setup & formation and the monthly fee isn't really cheap too.   And i've not even a glimpse of really what it does...

I'll see what can be done with JIRA.  Maybe there's a reporting module doing the job properly.  I've no doubt that your customer is able to do their ISO conformity with JIRA, but there's 2 versions:  Cloud based (our option) and Self-Hosted version.  Self-Hosted version give way more control than the cloud based version.
Hi,
When data and apps are in the cloud or external server it can be harder to get it validate because you don't have the control over the installation, physical access so on.

What you can use is a document manager
https://www.alfresco.com
https://www.alfresco.com/information-governance/regulatory-compliance

Alfresco is very complete and it have a way to approve documents.

Author

Commented:
Just to keep you in touch, we have decided to keep using JIRA, but we have made some adaptation to make it more suitable for this kind of tasks.   Plus, with Python for example, we can easily script to retrieve data from JIRA because their reports doesn't do the job.  Not sure what the auditor will say about this, but if other are using similar method, i don't see why they should reject it.

Thanks for the thoughts that you have shared.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial