Specifying and selecting an ISO 27001 ISMS support tool

Implementing and using an ISO/IEC 27001 Information Security Management System can be tricky, especially given limited resources or in complex or dynamic business and technology environments. While largely-manual approaches may suffice for small, simple, stable organisations, dedicated ISMS support tools (computer applications and cloud services) are well worth considering. 

With dozens of ISMS tools on the market, the obvious question is which to choose. Here are some commonplace requirements or factors to consider:

• Support information risk identification, evaluation, treatment and monitoring, of course.
  
  
• Support compliance/conformity with applicable standards, regs, laws and contractual obligations.
  
  
• Interoperable with existing systems/processes for asset management, risk management, business continuity management, incident management, vulnerability scanning, anti-malware etc.
  
  
• Support the identification, investigation and resolution of security incidents.
  
  
• Support ISMS monitoring, reporting and assurance activities.
  
  
• User-friendly – intuitive, with little training and familiarisation required.
  
  
• System architecture reflects an expert understanding of ISO27k, ISMS frameworks etc.
  
  
• Customisable and flexible enough to adapt to the organisation's specific needs and workflows.
  
  
• Scalable - able to grow with the ISMS, handling increasing workloads and data volumes.
  
  
• Competent, valuable, effective supplier support for implementation, maintenance, training etc. with a proven track record and strong customer feedback.
  
  
• Secure – protecting the ISMS and the valuable information within it against various information risks.
  
  
• Net Present Value i.e. the financial benefits achieved by the business less total costs across the projected tool lifecycle, adjusted for inflation.
  
  

This is just a short generic summary to set you thinking. By carefully considering your organisation’s particular requirements and following a structured evaluation process, you can select the most appropriate ISMS tool to achieve your organisation’s information risk/security management and business objectives.

For more on this, contact me for our expanded (8-page) "ISMS support tool specification", just one of a stack of top-quality materials in the SecAware "ISMS Orbit" toolkit for information risk. security and related specialists.