Software requirements for an ISMS according to ISO 27001
Excel-Template for business and technical requirements
Selecting a software for an information security management system (ISMS) is a complex undertaking. An important building block is a list of criteria that are important for one's own organization. Such a criteria catalog makes it easier to compare the various products with each other. The basis for such a requirements catalog can be found here as an open Excel file, which you can use free of charge for your internal purposes.
The catalog covers both the business and the technical aspects as well as the software selection itself. However, you should not adopt it unchanged, but first adapt it to your needs. This means including additional requirements that are important to you. But also removing unnecessary requirements.
Since downloading an Excel file from the Internet always requires some courage, you will first see a preview of the contents here on images or as a PDF file. You can remove the logo in Excel of course 😊
10: Describe your licensing model. According to which metrics is the product licensed?
For example, number of named users, number of concurrent users, number of managed objects, etc.
11: If it is an open source product: Which license is used or which conditions apply?
12: How many customers use the product?
13: How are the customers distributed internationally?
14: Present three reference projects that are comparable to this project in terms of technical environment and size.
15: With regard to which relevant industry standards is the product certified?
16: What is the roadmap of the product?
B Functional requirements
B.1 Mapping the organization
B.1.1 Organizational structure
17: Does the system provide the basic ability to map the organization?
18: How many hierarchy levels are possible when mapping the organizations?
19: Can the various elements of the organization such as companies, departments, locations, etc. be mapped and classified?
B.1.2 Business processes
20: Does the system offer the possibility to store business processes?
21: Can the need for protection be defined for each business process?
22: Can the IT infrastructure be mapped in the system?
23: Can the company's information assets be mapped in the system?
24: Does the system offer the possibility to store IT applications?
25: Does the system offer the possibility to define services?
B.1.4 Asset links
26: Can business processes, IT applications or IT services, IT systems, locations, rooms, etc. be linked?
27: Are the protection needs passed on when linking? In what way?
e.g. maximum principle
28: Can individual protection requirements be manually overwritten despite inheritance?
29: Does the system offer the possibility to store business partners (suppliers, service providers, etc.)?
B.2 Information security management according to ISO 27001
30: Does the system basically support the establishment of an ISMS according to ISO 27001?
31: Is the system capable of running multiple versions of the standard in parallel?
B.2.1 Risk management
32: Does the system allow for a freely definable scale for likelihood of occurrence and impact?
33: Can the levels of the scales be explained textually?
34: Does the system determine a risk number from the likelihood of occurrence and impact?
35: Can the formula for calculating the risk number be selected from a predefined set or is it freely definable?
36: Is there a graphical representation of a risk matrix?
37: Can it be defined for the risk matrix which combinations of likelihood of occurrence and impact / which risk number should be displayed in which color?
38: Does the system provide tools to efficiently process a larger number of similar infrastructure elements?
For example, through joint selection or grouping
B.2.2 Risk assessment
39: Are there predefined catalogs for possible threats?
40: Are there predefined catalogs for possible vulnerabilities?
41: Can threats and vulnerabilities be combined into predefined damage scenarios?
42: Does the system support risk identification through the ability to apply threats and vulnerabilities combined to assets?
43: Can the affected protection goals be documented during risk identification?
44: Can probability of occurrence and potential impact be determined for each identified risk?
B.2.3 Risk treatment
45: Can a risk be assigned the risk treatment measures already in place?
46: Can a risk be assigned the different types of risk treatment (acceptance, action, avoidance, transfer to third parties)?
47: Can new measures be assigned to the risk?
48: Is implementation of new measures tracked with accountability and deadline?
49: Can each action assigned to a risk be tracked individually with accountability and deadline?
50: Can further planning parameters such as necessary resources and costs be documented for measures?
51: Can the risk be assessed in the state after risk management? (Residual risk)
52: Can the system generate a Statement of Applicability (SoA)?
53: Can own measures also be defined and included in the SoA?
54: Can it be documented for each measure whether it has been implemented?
55: Can justification be provided as to why a measure from Appendix A was not implemented?
56: Is there an overview of the measures from Annex A that have neither been implemented nor justified?
57: Can the system generate a risk treatment plan (RTP)?
58: Describe other reporting capabilities of the system.
B.3 Document management (for guidelines and the like)
59: Can documents be created directly in the application?
60: Is a rich text editor available to allow formatting of text?
61: Can images be included in the text?
62: Can externally created documents be attached and saved?
63: Can documents stored in other systems be linked?
64: Can the documents be provided with a validity date?
65: Can documents be set to resubmission?
66: Is there a versioning of the documents?
67: Can the documents be linked to assets, the ISMS requirements, etc.?
B.4 Task management
68: Is there a task control to make the completion of tasks traceable? Describe the functions.
69: How are employees informed about upcoming tasks?
70: Are there escalation options when deadlines are not met?
71: Are there overviews that show the status of tasks?
C Quality requirements
72: Are there copy functions for data to efficiently capture larger inventories?
73: Are there wizards that guide the user through complex processing steps?
74: Is the application fully operable via the keyboard?
75: Are there shortcuts for frequently used operations?
76: Can the application be opened multiple times in the browser?
77: Is there a dashboard that aggregates key information and KPIs?
78: Can users customize their dashboard?
79: Describe the ways to customize columns in lists.
- Width of the columns can be adjusted. - The selected column width is saved and will be applied again at the next use - Columns can be shown and hidden. - A column can be frozen in its horizontal position.
80: Describe the sorting options in lists.
- Sort by any columns - Sort ascending and descending - Sort by multiple levels
81: Describe the search and filtering capabilities in lists.
- There is a search box that allows searching across all content - Complex searches with operators and parentheses can be formed.
82: Can queries be saved and recalled later?
Can searches be made available to other users?
83: Can entries be formatted depending on data? (e.g. negative values red) Describe the possibilities.
84: Can values be edited directly in the list?
85: Is there an overall search or full text search?
This part is only relevant if the system is intended for use by disabled people or if rules of the organisation require that accessibility must be provided.
A blanket requirement to comply with the relevant guidelines like WCAG would usually be inappropriate, as these primarily relate to web presences on the Internet. For (web) applications, only some of the requirements are relevant and meaningful.
86: Does the system support barrier-free use by blind, visually impaired and motor-impaired people?
87: To what extent does the system comply with the standards like the Web Content Accessibility Guidelines WCAG 2.1?
88: Explain what tools (screen readers, magnifier software, etc.) are supported.
89: What GUI languages are available?
C.5 Authorization system
90: Is the system multi-client capable? Describe the possibilities.
91: Describe the authorization system.
C.6 Data management
92: Describe the mechanisms for securely handling concurrent changes to the data (optimistic or pessimistic locking).
93: Are changes to data historicized so that they can be tracked at a later date?
94: Can the content be archived and stored there in an unchangeable form?
95: Please confirm: The system is able to handle the data volumes specified in the concept
96: Please confirm: The system has the following response times with the data volumes and parallel user numbers mentioned in the concept:
- Lists and edit masks open within 2 seconds in 90% of the cases.
- Reports open within 10 seconds in 90% of the cases
Adjust the numbers according to your needs, but remain realistic. This includes that there are always masks that need a little longer. But these should not be the masks that are permanently used - so limit it sensibly.
C.8 IT Security
97: Describe the measures and processes you use to identify and clean up security vulnerabilities in the application.
C.9 Data privacy
98: Describe how the system supports the implementation of the GDPR.
How are requests from data subjects implemented? Is there a concept for deleting data when the deletion periods expire?
C.10 Requirements for technical operation
This section is only relevant for an on-premise installation
99: What ongoing activities are necessary for system operation? What expenses can be expected?
100: Describe ways to monitor system operation.
Log files, critical condition alerts, etc.
101: Describe the concept of data backup for the system.
C.11 SaaS operation requirements
This section is only relevant for SaaS operation (cloud use)
It is still incomplete.
102: Is the data center certified or audited with regard to information security? (e.g. ISO 27001, ISAE 3402)
103: Describe the different support levels you offer. In each case, state the service times as well as the response and resolution times.
104: Is there a helpdesk for the system in ... (Language)?
Add the desired languages.
105: Is there a ticket system to submit problems and questions?
106: Is there a knowledge base on common questions and problems?
107: Is there an online forum to exchange ideas with other users and find solutions?
C.13 Updates and update assurance
108: Describe your product lifecycle: in what cycle do you release new versions (major/minor releases) and bug fixes?
109: Describe the types of customizations that can be made to the system (e.g., configuration, customizing) and how release-safe each of these changes is. In particular, list the changes that cause additional manual effort during an update.
110: What effort does a customer have to expect when installing an update (major/minor release, bug fix)?
111: How are customers informed about new updates?
112: If the system is later decommissioned, can the data be exported to a common machine-readable format for transfer to a successor system?
113: What documentation is provided with the system?
114: In which languages is the product documentation available?
English, French, Spanish, German ...
115: Is there context sensitive help?
116: Describe what training is available on the system.
C.16 Test data
117: Is there a test system or a test client to get to know the system?
118: Is there test data to learn typical usage with examples?
D Technical requirements
D.1 System architecture
119: Describe the basic system architecture of your application. Address components such as client, server, database, interfaces, and so on
120: Are there solutions for high availability?
D.2 On-Premise Installation
In the case of an installation in the company's own data center (on-premises), there are usually specifications from IT or the IT service provider as to which infrastructure components can be used. This includes operating systems, databases and application servers. Example: The data center provides MS SQL Server as database, but no Oracle. The vendor's software must support these components, otherwise it cannot be installed and operated on-premises. Therefore, adjust the following requirements according to the specifications and use them to ask the vendor whether it supports the respective component.
Omit this section if you are looking exclusively for a cloud solution.
D.2.1 Application server
121: If the application requires a server: Describe the system requirements for the server with supported operating systems, required runtime environments, and so on.
122: If the application requires a proprietary base system such as MS Sharepoint: Describe the prerequisites.
If the application is based on a proprietary system and one of these systems is already in use at your company, then it can significantly reduce the technical effort. However, if this system is not used by you, then noticeable additional costs and additional efforts may arise.
123: Provide a sizing recommendation for the data volumes and user counts (CPUs, main memory, disk space, etc.) specified in the concept.
Refer to the quantity structure of users and data you are calculating with in the application.
124: How can the server be scaled as needed?
Vertically: increase the performance of the server. Or horizontally: deploy more servers
125: Are there container images?
For a deployment with Docker / Kubernetes, for example.
126: Is a database required?
Some applications bring their own database, other applications require the presence of a database.
127: Which databases (including versions) are supported by the application? Is a license-free database also supported?
Add the database(s) that are supported in your organization, e.g. Oracle 19c, MS SQL Server 2019, MariaDB 10.
128: Provide a sizing recommendation for the data volumes and user counts identified in the concept.
129: What are the requirements for network speed or bandwidth?
This question is particularly relevant for locations with poor network connectivity.
Ideally, the application is completely operable via the browser for end users, so that no installation is required on the workstation computer. Alternatively, the software can also be installed locally, especially for a manageable number of users.
130: Does software need to be installed on the workstation for end users to use the system?
131: Do I need to install software on the workstation to administer the system?
D.4.1 Locally installed client
132: Which operating systems are supported for a client installation?
133: Is a runtime environment required on the workstation to run the client?
134: What requirements in terms of CPU performance, main memory and disk space must the workstation computer meet?
135: Which browsers are supported? (with versions)
The question is aimed at whether the browsers allowed or required in your organization are supported.
136: Does the system require outdated runtime environments in the browser, such as client-side Java, Flash, or Silverlight?
There should no longer be any new applications introduced that require the mentioned runtime environments.
D.5 Mobile use
137: Is the user interface responsive?
138: What types of mobile devices are supported (smartphone, tablet)?
139: Is the application usable on the browser of mobile devices?
140: Is there a native app for the application? Describe the range of functions compared to the desktop or browser version.
141: Which mobile operating systems are supported?
Should be narrowed down to mobile operating systems used in your organization.
142: Can the app be administered with mobile device management?
If necessary, ask specifically for the MDM systems available in your organization.
D.6 User administration
Often there are two types of users:
- Users managed locally in the application: These are used, for example, when there are only a few users and local maintenance is easier than creating and maintaining an LDAP interface. Or when external users are to be integrated that one does not want to maintain in one's own LDAP.
- Users managed in a directory service: As a rule, users are maintained centrally in systems such as Active Directory. The information is then synchronized with the application via an interface and is available there. This simplifies the administration of users, but requires a corresponding LDAP interface.
Depending on the complexity of the organization and the requirements, mixed operation may also make sense or it must be possible to read in user information from several directory systems.
143: Is there a local user management in the system?
144: Is there an LDAP interface to synchronize users from a directory? Is a connection to ... supported?
Add the directory services that are relevant to your organization, e.g. Active Directory
145: Is single sign-on (SSO) supported? Describe the possibilities.
146: Explain your methodology for interfacing with third party systems.
147: To which third-party systems are there standard connectors?