ISMS support tools (episode 2 of 4)

Previously I blogged about the bewildering variety of tools, systems and services supporting ISO/IEC 27001 Information Security Management Systems. The tools, in turn, are being used in various ways for various purposes by a bewildering range of organisations.

The ISMS specified by ISO/IEC 27001 is "intended to be applicable to all organizations, regardless of type, size or nature", a deliberately broad scope that takes in:

• Conventional commercial companies, government agencies and departments, charities and not-for-profits, conglomerates, kieretsu and groups, schools, colleges and universities ...; 
• Organisations of all sizes, micro-to-macro;
• Local, regional, national and multinational organisations; 
• All 'industries' or 'sectors' or whatever term you prefer, from primary to tertiary, including diverse businesses serving numerous markets as well as deep-dive myopic specialists like us;
• Organisations at all stages of development and maturity, from cradle to grave (well, OK, perhaps not the entire range!);
• Organisations owned by shareholders, banks, investors, taxpayers, individuals or other organisations;
• Organisations serving consumers, other businesses, society or other customers/clients; 
• Organisations that are stable, consistent, rigid, even staid, through the majority to those that are constantly changing, innovating and morphing like an amoeba, flitting from focal point to focal point quicker than bees in a flower bed. 

Given such variation, it is no surprise to discover that organisations using '27001 differ markedly in their business situations, needs/objectives and resources. They use and depend upon information to differing extents, facing both commonplace and unique information risks, using a wide variety of information security controls.

Taking all that into account, the ISO 'management system' approach is remarkable for its applicability. ISO/IEC 27001 boils down the management of information [risk and] security to its essentials for any organisation.

The problem is that ISMS support tools that are valuable for any one may be useless, even detrimental for others. Nimble small businesses, for instance, are unlikely to appreciate the big highly-structured heavy-duty costly systems that suit (some) big highly-structured heavy-duty rich organisations, whereas the relatively small, lightweight, flexible systems that work best for them may be inappropriate or worthless for others.

-----------------

The variety of information security controls to be managed, and more broadly the information risks to be managed, implies some creativity in the support tools: cue episode 3 ...