This final episode in the series about specifying and selecting ISMS support tools/systems concerns the general usability requirements typical of almost any computer system, such as:
- Intuitive, easy to use;
- Interoperable;
- Facilitates customisation where appropriate;
- Readily maintained;
- Well supported, documented etc.;
- And, of course, good value i.e. cost-effective - we mustn't forget that!
There may be specific technical requirements as well, concerning the operating platform/architecture for instance. Is a cloud system appropriate? Public or private cloud? Based on AWS, Azure or something else? Hosted SaaS? ...
Last, and definitely not least, there are bound to be information security requirements, given the importance of managing information about the information risks and security controls. I'm not going to spell those out here on the basis that you presumably have a pretty good idea already.
Bearing all that in mind, the request to the ISO27k Forum that originally sparked these bloggings was naively based on the presumption that someone might simply recommend an ISMS tool that would suit the requester's organisation without further details or elaboration. Like I said, it's not that easy.
The preferred way to tackle this is through a conventional, systematic product selection process along these lines:
- Clarify the organisation's business objectives: what problems will the ISMS tool solve? How will it enable the achievement of strategic business objectives and hence add value? How will the ISMS relate to and support other management systems, approaches etc.?
- Determine and define the functional, technical and other requirements or criteria for the ISMS;
- Rank/prioritise and weight the requirements/criteria (important!);
- Research the market to identify a long-list of products (hint: there are at least two dozen candidates, many of which have options);
- Apply the most important criteria to refine the list to a more manageable short-list (just a handful);
- Evaluate, compare and then score each of the shortlisted products against the requirements/criteria;
- Apply the weightings to generate the product scores;
- Obtain/negotiate/procure the selected solution/s (this step may involve re-visiting the requirements/criteria, digging deeper into the products, and squeezing the suppliers for more information or changes - a chance to evaluate the suppliers' responsiveness and capabilities);
- Implement, confugure, use, manage ... and benefit from the chosen product/s.
- Measure, learn, mature, improve.
Although the evaluation process is laborious and takes time, there are worthwhile benefits to being reasonably thorough and diligent about it - for instance, it is much easier to build a convincing business case to invest in something if you know what you need and can demonstrate that the selected solution meets the needs. More importantly still, the selected solution is more likely to satisfy those needs. Furthermore, the requirements and selection criteria naturally suggest metrics to monitor and ultimately achieve the expected value in practice.
OK, that concludes the blog series. Given all that I've said, I hope you appreciate why I have not identified or commented on any specific ISMS tools. Aside from anything else, the market is changing and innovation is happening even as I write this. Hmmm, I wonder how AI/ML technologies can be applied in this area, both as part of cutting-edge ISMS tools and supporting the product selection process. Am I redundant? Hopefully not yet!
PS If you find yourself lumbered with an ISMS toolset that simply isn't working out as well as you'd like, I can help you there too, drawing out the lessons from your current situation (good and bad!) to specify and propose replacement or supplemental tool/s if appropriate. Maybe changing the way the existing toolset is being used would suffice, for now at least. Drop me an email to start the ball rolling.
No comments:
Post a Comment
The floor is yours ...