Classification of ISMS tools

The range of ISMS tools on the market initially seems confusing.

• There are overlapping subject areas (e.g. information security vs. IT risk, cyber risk)
• Numerous standards, some of which overlap (e.g. ISO 27001, SOC 2)
• Different implementation of the disciplines in the tools.
• Varying breadth and depth of functionality in the tools.

To help you sort this out, ISMS applications will be placed in the overall context of GRC software.

KonBriefing Research structures business software into three levels:

• Domains: Management approaches that are generally supported by software.
• Disciplines: The management systems for implementing the domains, with the corresponding use cases.
• Functions & content: The features used to implement the disciplines; also content such as standards.

For GRC software (Governance, Risk Management & Compliance), this is shown in the following image. Information security and ISMS are highlighted in particular. The diagram is not exhaustive because there is no clear definition. Depending on the chosen definition, more or fewer domains and disciplines could be included.

The ISMS products offered on the market differ, among other things, in how they are tailored in this respect: What other disciplines are supported in addition to ISMS? And which domains are also addressed as a result?

Against this background, two main groups of ISMS software can be distinguished.

Specialized ISMS tools

These products are specifically designed to map an information security management system in accordance with ISO 27001 or other standards. Sometimes they are the result of consulting activities because it has been determined that mapping in Excel tables does not lead to the goal and that software is therefore necessary. By focusing on precisely this process, the products often have a particularly high degree of user-friendliness and are functionally very mature. Related disciplines are often added later, such as data protection management and business continuity management, which can also use the data already stored, such as business processes.

GRC platforms

At the other end are platforms that map a broad GRC spectrum (Governance, Risk Management & Compliance) and also allow the mapping of an ISMS, among other things. Because an ISMS is only one discipline of many here, the implementation in the software may be more generic / general, with features that are also suitable for the other disciplines and may guide the user less. The platfoms are usually provided by global vendors, so that local requirements may be less taken into account. In addition to functional breadth, another strength is often the integration capability and quasi-real-time testing of controls, e.g. in the continuous verification of secure configuration at cloud providers.