ISMS support tools (episode 1 of 4)


From time to time, members of the ISO27k Forum seek opinions about systems on which to run their ISO/IEC 27001 Information Security Management Systems, anticipating feedback or recommendations for certain products.

Unfortunately, it's not quite that simple!

For starters, the ISMS support systems come in several flavours. Our toolboxes are bulging ...

Supposedly comprehensive ISMS systems

These claim to support every conceivable aspect of information risk and security management, incident management, business continuity, compliance, governance, assurance and more. Whether that reflects a comprehensive architecture and design from the ground up, or a more limited core system on to which various adornments have been tacked over the years (sometimes including functional units from totally different systems and suppliers), is not necessarily obvious until users explore the limits and perhaps fall between the cracks.

More focused ISMS systems

These support some of the above areas with various coverage gaps (e.g. nothing for incident management or business continuity).

Toolkits

At the most basic level of functionality, toolkits are sets of templates - fill-in-the-blanks forms and customisable content for information security policies, security awareness materials etc. These are not IT systems but support ISMSs with guidance on the mandatory and discretionary aspects for the management system. Soundly designed and well-written toolkits can usefully supplement the weak, inept or misleading content often provided with other ISMS support systems, plugging various gaps and bringing ISMSs up to date (e.g. security policy templates for BYOD, IoT and AI/ML).

Expandable ISMS systems

A limited core product/service can be supplemented by various add-on options, depending on what is available plus what customers need and can afford ...

Customisable ISMS systems

To some extent, all ISMS systems need to be customised to suit each user organisation's particular ISMS. The big question is whether that can be done quite easily by the organisation itself as part of the implementation and use of a flexible, extensible system, or whether changes need to be made under the covers (at some expense) by the supplier.

Governance-Risk-Compliance systems a.k.a. Compliance Automation Tools

In my experience so far, GRC systems are primarily Compliance management systems: the R relates to risks arising from nonCompliance, while G concerns the governance arrangements needed to achieve and demonstrate Compliance. Compliance may be solely concerned with certain legal or regulatory obligations (such as privacy laws, or the ISO/IEC 27001 Annex A controls [which are not obligatory!]), while disregarding various others (such as intellectual property, trade secrets, HR and national security laws and regs, plus assorted obligations accepted in contracts and agreements such as PCI-DSS and non-disclosure, and myriad other controls). If your corporate strategy is essentially to have barely sufficient information security to satisfy your compliance obligations, then GRC systems may help. Good luck with that.

Risk management systems

In the sense that information risks are a subset of all risks, managing them is in theory much the same as for others: essentially it comes down to managing the combination of uncertain situations and their outcomes. In practice, specific terms and concepts apply in different fields (e.g. hazards in health and safety, exchange rates and derivatives in finance, systemic risk in insurance ...). Risk management systems supporting markedly different risks in the same way face some "challenges". 

Document Management Systems

DMSs essentially provide administrative support for the ISMS team, keeping various ISMS-related documents and records in good order. They typically offer structure, naming conventions, version and release control, review cycles, indexing and so forth, with limited support for the particular documents and records generated by an ISMS ... but some have been adapted for that purpose.

Management Systems Standards standard systems (!)

Some ISMS systems are simply variants from the same suppliers of those supporting other ISO-style management systems standards (e.g. for quality or environmental protection). Since, by design, most ISO MSSs follow a fundamentally similar approach, these systems typically share a similar core architecture with modules/functions addressing (to some extent) the specifics for each standard. Such an approach may be valuable for organisations adopting multiple MSSs in a consistent or integrated manner: competent tool users in any one area should be able to assist colleagues in other areas.

SaaS systems

Some ISMS-support systems are cloud-based, either commercial SaaS services hosted and supplied to various customers through the Internet, or private cloud systems hosted by individual customers on-premise or elsewhere. Given the sensitivity of information being managed through a typical ISMS, confidentiality of customer information is of course an important security requirement given the risk of information access by the tool supplier/s plus their other customers, the authorities and hackers. Therefore, it may not be appropriate to cede control of the software and data to a cloud tool supplier if the risk is unacceptable.

Consultancy support tools

ISMS consultants (like us!) develop, use and refine the tools of our trade much as a master joiner or cabinet maker. The tools that make our work a little easier and more consistent are sometimes sold as separate products. They were intended for use by competent, experienced professionals, and may be simplified and generalised when released separately, plus there is always the option to beg or buy some consultancy time for training and support, or indeed to recommend tools that are appropriate to your particular organisation, your situation, your business needs. More on that score to follow in a later episode.

-----------------

The sheer variety of systems, tools and services on the market can be bewildering, especially for organisations that are new to the game and don't exactly know what they want or need - cue episode 2 ...