There are numerous standard products available for implementing an information security management system according to ISO 27001 (see link to our market overview below). Although they serve the same purpose in functionality, i.e. the mapping of an ISMS, the offers can differ substantially from each other in other aspects, e.g. in the configurability, in the type of provision or in questions of cooperation with the provider. These points must flow into the selection just like the price, so that you decide in the end for the Tool, which fulfills your specific basic conditions and requirements best. This page is designed to assist you in this selection process.


This guide provides step-by-step instructions for tool selection. It describes a basic procedure with project initiation, project planning, general concept, tender, selection and decision, which you can adapt to your situation.

Our guide covers the following points:

  • Project initiation
  • Definition of requirements
  • Tool selection and contract agreement

Selection of an ISMS tool

1. Project initiation

This includes points like:

  • Clarify current status and problems
  • Describe solution approach
  • Developing benefits for the organization
  • Clarify basic willingness and ability to carry out such a project
  • Clarify goals and scope
  • Perform initial market screening
  • Define target state
  • Putting together a rough concept
  • Create project plan
  • Review
  • Prepare a decision and submit it for approval


2. Definition of requirements

To find the ISMS software that best suits your needs, you should first work out the general conditions of your organization and the general requirements for such a tool. This will lead you to important considerations, the extract will flow into the criteria and test catalogs you will use in tje selection process.

Tools for an information security management system map the standards, often the ISO 27001, and with multi-standard tools it might also be others. Due to this orientation to the standards, the basic functionality of the products is very similar: business processes can be registered and evaluated with regard to the protection goals, assets can be assigned to the business processes, risks are identified and assessed in risk management via vulnerabilities and threats, measures for risk treatment are defined, responsibilities are assigned and their implementation is monitored. In addition, a Statement of Applicability (SoA) and an overview of the risks can be generated. In addition, there are configuration options, e.g. for the risk assessment method, as well as an administration area in which users or interfaces to other systems are defined.

Despite this high degree of similarity in basic functionality, ISMS tools can differ significantly in other aspects. Is the software installed and operated in the company's own data center or is it used in the cloud (Software as a Service, SaaS)? Is it a desktop application or accessed via browser? To what extent is the application customizable? What is the usability - can I find my way around the application easily? These exemplary points do not refer to the immediate functionality, but they determine to a large extent how well a software fits the specific situation in your company or agency. Therefore, you should pay special attention to them when defining your requirements.


3. Tool selection and contract agreement

This includes tasks like:

  • Create Longlist
  • Planning of process
  • Obtain information from product suppliers
  • Supplier presentations
  • Create Shortlist
  • Proof of concept
  • Trial version
  • Narrow down suppliers
  • Offer presentations
  • Negotiations
  • Decision & approval for procurement and tool introduction
  • Contract conclusion


Continue reading ...