ISMS support tools (episode 3 of 4)

So far, I've waffled on about the variety of ISMS support tool types on the market, and about gross differences between ISMS user organisations in terms of industry, size etc.

Next, think about the kinds of things they might expect their ISMS support tools to do. Digging beneath the superficial "support our ISO/IEC 27001 ISMS", organizations may well expect/require the tools to help them with security controls such as:

• Access rights and permissions;
• Alerts or alarms;
• Anti-spam;
• Antivirus;
• Assorted security processes;
• Backups;
• Business continuity;
• .... and so on.

The 'help' they need to manage any of those controls may involve assistance with:

• Selecting and designing them;
• Defining the control objectives and rules;
• Documenting them;
• Installing and configuring them consistently;
• Monitoring and measuring them;
• Reviewing/testing them for assurance reasons;
• Integrating them or making them work in conjunction with other controls and systems;
• ... and so on.

It should be obvious by now that I'm talking about a multitude of organisations using many tools to manage a multiplicity of controls in myriad ways, all within the context of an ISMS adapted from a generic standard. No wonder this is so bewildering!

I'm not quite finished yet though. 'Organisations' don't use ISMS support tools: people do, so most organisations would value configurable ‘views’ e.g. a senior management dashboard showing key metrics, with drill-down to additional information for middle/junior managers; administrative functions and detailed reports for specialists.

That's just one of several possible operational requirements for the ISMS support tools. More of those to come in the final episode ...