TreeMap and ISO 27001 (Treemap Software)

Reading book ‘Security Metrics, and checking a sample of ISO 17799 of treemap generated with jtreemap ;

I decided to explore the power of TreeMap and build a sample ISO 27001 Map with some (random) Risks and Priorities.

1. Principles

Here I played with Risk and Priority (random values), but you can chose what you want .

Metrics I Like to play with :

  • Risk – What is the risk degree
  • Priority – What are the top priorities
  • Compliance – alignment  with policies or the regulation
  • Cost to comply
  • Maturity of the organization

What to do with all of that ?

  1. The Categories and subcategories are Names .
  2. Metrics can impact the Size and Color depend of your boxes (you have to make a selection).

“Chose the best display settings will increase your communication, wrong ones can confuse the audience.”

2. Treemap Software

I used the Treemap 4.1 software from

3. Examples

1) 1. Empty Map

Only the Text and the related areas

2) 2. Just Size

Bigger the “Priority”, bigger the area

3) 3. Just Color

Low risk is Green high is Red.

4) 4. Detail level

You can display General layout and chose the deep of details (major sections, sub-sections).

All the details (Sections and Sub-Sections) like in the previous screen, or only Sections.

5) 5. Zoom

You can ‘zoom’ only on one section like “Communications and Operations Management” that contains many topics.

6) 6. Filters

Display only Risk High (4 – 5 )and where priority is low (1 – 3 )

7) 7. Colors are not always green and red.

Areas of compliance. Blue is better.

4. More …

Source File used to generate the output :

Note : This example is only for information. You are not limited to ISO. I personally use this technique to show to the management how our Security Policy is under control and what are the domains under risks.

Be the first to comment

Leave a Reply

Your email address will not be published.