Guide: Everything you need to know when selecting ISMS software.
With detailed Excel criteria catalog, market overview and tool reviews.

Content

1 How does an ISMS according to ISO/IEC 27001 work?
2 What are the functions of ISMS software?
3 What are the differences between the tools on the market?
2 Does it also work with Excel?
5 How do I find the right software for me? The tender
6 Excel requirements catalog
7 Market overview
8 Tool reviews
9 Other resources

1 How does an ISMS software for ISO 27001 work?

1.1 What is an ISMS?

An ISMS (Information Security Management System) is a management system that systematically ensures and improves information security in an organization by means of a large number of coordinated measures. The starting point is the protection requirements of the business processes that are relevant for the scope under consideration. For example, an HR process such as payroll accounting has higher data confidentiality requirements than the ordering process for office supplies.
The business processes are linked to the assets they use, which is, for example, the IT application through which a process is handled. This means that the HR application, for example, and therefore also the HR server and server room, must meet higher confidentiality requirements.
It is now assessed which threats are relevant for an asset. For the HR application, this could be the possibility of guessing passwords, and for the server room, the threat of fire. This allows the identification of the the relevant risks to which the assets are exposed.
Each risk is assessed in terms of probability of occurrence and impact, resulting in the important areas for action. The risk treatment then determines how the risk is to be addressed. For example, it can be accepted or reduced through appropriate measures.
The appropriate measures are derived from controls that are part of the relevant standards. One control, for example, can be the existence of a password management system that enforces sufficiently complex and thus difficult-to-guess passwords.
This results in extensive measures to ensure information security. These can be instructions/directives, processes, and tools that must be introduced and whose effectiveness must be regularly reviewed.

1.2 Mapping an ISMS in a software

From the previous description, it is clear that complex structures consisting of business processes, assets, threats, vulnerabilities, risks, measures and tasks arise and have to be processed in an information security management system. Even in small organizations, these structures can only be mapped and kept consistent with difficulty in Excel spreadsheets. Therefore, it makes sense to use specialized programs that guide through the structures and ensure consistency.
Many tools work according to this scheme ... Explanations below the graphic.
How does ISMS software work?
How does ISMS software work?
Explanations
Definition of the scope:
The scope to which the ISMS should apply is defined. Because in many cases, an ISMS is initially introduced for only part of the company or organization. The scope can also include the modeling of organizational units and people - this has been omitted here.
Gather business processes:
The business processes relevant to the scope are registered.
There are links to data privacy management here, because the processes in which personal data are processed must also be recorded there.
Business Impact Analysis (BIA):
The business impact analysis evaluates the effects of a breach of the protection goals for the individual business processes - as a rule, confidentiality, integrity and availability (CIA) are considered here.
This identifies the critical business processes; comparable assessments are also performed in Business Continuity Management.
Capture assets:
The assets of the scope are recorded and categorized. These are, for example, applications, information, IT systems, rooms, buildings or locations. This results in the asset inventory. The ISMS tools usually offer extensive options for categorizing and documenting the assets.
The IT systems are often already managed in a configuration management database (CMDB) in an IT service management system, so that they can possibly be extracted here. Theoretically, interfaces are also possible here, but there are very practical challenges here because different systems with different data structures would have to be synchronized.
Link assets:
In order to be able to identify the protection needs of all assets later on, the assets are linked to each other via use-relationships.
Example: The CRM application (application) manages the customer base (information value). It uses a server (IT system) located in the data center (building) for this purpose.
Link business processes and assets:
It is modeled which assets are used by which business process. Example: The sales process uses the CRM application and thus also the customer base, the server and the data center.
Inherit protection needs to assets:
Through the links, the protection needs of the business processes are passed on to the assets they use. Example: The payroll accounting process has particularly high confidentiality requirements. Therefore, this also applies to the assets on which the process is run: the HR application, the HR server and the data center where the HR server is located.
Link to IT Service Continuity Management from ITIL: The critical business processes thus result in the critical assets that must meet a particularly high need for protection and special requirements for restart and recovery.
Risk Assessment:
Risk assessment and risk treatment are usually based on the ISO/IEC 27005 Information Security Risk Management and ISO 31000 Risk Management standards. Hazards resulting from threats and vulnerabilities are applied to the assets. The tools provide suitable catalogs for this purpose; the source is often Annexes C and D of the ISO/IEC 27005 standard. Threats include fire or the ability to guess passwords that are too simple.
The resulting risks are assessed in terms of probability of occurrence and impact, taking into account existing measures where necessary.
Risk treatment:
The risk strategy is selected for each risk, typically: reduce, transfer, accept or avoid. If the risk is to be reduced, then the controls from Annex A of ISO 27001 come into play, but if necessary, controls from other standards such as PCI-DSS also come into play. The controls can relate to an asset or have an overarching effect, such as the creation of an information security policy. The application of a control is represented in the tools by measures or comparable objects. This is also one of the places for the continuous improvement process (CIP): New measures can also arise from it.
The data can be used to generate a risk treatment plan and the SoA (Statement of Applicability).
Plan tasks, track implementation:
For the implementation of the measures, tasks are now defined, responsibilities assigned, efforts, costs and deadlines planned.
The measures result, for example, in guidelines, processes or a tool deployment.

2 What are the functions of ISMS software?

A typical ISMS software has many of the following functions and features:
Scope
  • Define scope
  • Management of interface requirements
Business processes
  • Assessment of the impact in case of violation of the protection goals
  • Inheritance of the protection requirements along the asset links
  • Calculation of protection needs for an asset in case of multiple incoming streams and possibility of manual overwriting
Assets
  • Setup of an asset register
  • Categorization and documentation of assets
  • Linking of assets to map usage relationships
Protection needs of the assets
  • Linking business processes to assets
  • Inheritance of protection requirements to the assets
  • Offsetting of protection needs for an asset in case of multiple incoming streams and possibility of manual overwriting
Risk assessment
  • User interfaces for assigning threats to assets and for evaluating them in terms of impact and probability of occurrence
  • Ability to analyze at different points in time
  • Included content: Hazard catalogs with threats and vulnerabilities
Risk treatment
  • Determination of the risk strategy
  • Definition of measures
  • Assessment of the residual risk
  • Possibility of analysis at different points in time
  • Included content: Controls, e.g. Annex A of ISO 27001
Task management
  • Defining tasks
  • Assignment of responsibilities
  • Planning of costs and efforts
  • Tracking of progress or implementation
Document control
  • Storing and/or linking documents for policies, etc.
  • Approval process
  • Resubmission process
Audit and review support
  • Planning of audits and reviews
  • Determination of the subject areas
  • Documentation of results
Reporting
  • Statement of Applicability (SoA)
  • Risk Treatment Plan
  • Measures with implementation status
  • IT inventory
  • KPI
Other functionalities
  • Dashboards
  • Functions for decentralized data acquisition
  • Master data management
Optional modules
  • Data Privacy Management
  • Business Continuity Management
  • IT Risk Management
  • IT Service Continuity Management / IT Emergency Planning
  • Enterprise Risk Management
Technical functionalities
  • Multi-client capability
  • Authorization system
  • Data export / import
  • Interfaces
  • E-mail notification
  • LDAP/Active Directory connection
  • Single Sign On (SSO)

3 How do the tools differ from each other?

Due to the orientation on standards such as ISO 27001, the basic functionality of ISMS software products is similar. Nevertheless, the tools can differ significantly from each other, as the providers have different approaches and set their own priorities.
Some aspects are listed below:
  • Installation in your own data center (on-premises) or use as a cloud service (Software as a Service - SaaS).
  • Native client or web interface?
  • Is a special platform required? (e.g. Confluence, MS Sharepoint)
  • Included content (threat catalogs, standards and controls)
  • Level of configurability
  • Level of customizability (consider release compatibility)
  • Specific functions (e.g. calculation of the resulting protection requirement, gross or net risk assessment)
  • Group suitability (e.g. decentralized asset recording and BIA, authorization system)
  • Automation options
  • Interfaces
  • Available add-on modules
One should not proceed blindly according to the motto "a lot helps a lot", because more functions can possibly make use and operation more complicated. Instead, you should determine what is actually needed in your own organization, and of course also take a look into the future and derive your concrete requirements for a tool from this.

4 Does it also work with Excel?

Is special software required for an ISMS or can the structures also be set up with Excel? Yes, in simple cases it also works with an Excel spreadsheet. After all, each structural element in itself is a list that can be packed perfectly into an Excel worksheet, for example the asset inventory. However, the difficulties arise at the points where you have to link the individual elements together, starting with the relationships between the assets. Here, a spreadsheet offers only limited possibilities to maintain the consistency of the data, which must be compensated by the user through diligence and discipline. This is still acceptable in simple cases, but with extensive structures it quickly becomes a Sisyphean task.
This also becomes clear when looking at the diagram at the top of this page: The assets alone are linear and can be wonderfully mapped in a spreadsheet
Assets in an ISMS
The final structure, however, consists of several interlinked data structures, manual maintenance and consistency maintenance of the data becomes very costly:
ISMS data
In addition, there is the rigid layout of rows and columns, which is impractical when merging multiple structural elements. The assets themselves can be perfectly arranged in a table. But if the risks are to be listed under each asset and the controls as well, then it quickly becomes confusing, either because a column has to be used for different contents and these are all displayed in the same width, which often does not fit. Or because the substructures are moved so far to the side that you permanently have to scroll horizontally.
Everything is somehow feasible, but above a certain size, the user must have a high tolerance for pain. The logical conclusion: tools are needed which keep the data consistent and which, at the same time, have expedient interfaces for conveniently capturing and linking the data → That is exactly what ISMS tools are. In addition to these basic functions, however, the applications also bring numerous other capabilities, which will be discussed in the next chapter.

5 How do I find the right software for me?
The tender

This guide provides step-by-step instructions for tool selection. It describes a basic procedure with project initiation, project planning, general concept, tender, selection and decision, which you can adapt to your situation.
Our guide covers the following points:
  • Project initiation
  • Definition of requirements
  • Tool selection and contract agreement
Selection of an ISMS tool

5.1 Project initiation

This includes points like:
  • Clarify current status and problems
  • Describe solution approach
  • Developing benefits for the organization
  • Clarify basic willingness and ability to carry out such a project
  • Clarify goals and scope
  • Perform initial market screening
  • Define target state
  • Putting together a rough concept
  • Create project plan
  • Review
  • Prepare a decision and submit it for approval
Resources
ISMS tool project initiation

Procedure:
Selection of an enterprise software - Project initiation

5.2 Definition of requirements

To find the ISMS software that best suits your needs, you should first work out the general conditions of your organization and the general requirements for such a tool. This will lead you to important considerations, the extract will flow into the criteria and test catalogs you will use in tje selection process.
Resources
ISMS software requirements

Procedure
Selecting a GRC Software - Defining Requirements

Business requirements and technical requirements:
Excel template: Requirements for an ISMS tool

Further considerations
ISMS: Excel, Confluence or a specific software?

5.3 Tool selection and contract agreement

This includes tasks like:
  • Create Longlist
  • Planning of process
  • Obtain information from product suppliers
  • Supplier presentations
  • Create Shortlist
  • Proof of concept
  • Trial version
  • Narrow down suppliers
  • Offer presentations
  • Negotiations
  • Decision & approval for procurement and tool introduction
  • Contract conclusion
Resources
ISMS tool decision

Procedure
Enterprise Software Selection - Tool Selection and Contract Conclusion

6 Excel criteria catalog for tool selection

In order to compare different vendors and their products, a catalog of requirements in Excel is often useful. This is created by the searching organization and sent to the vendors with a request for response. A detailed template with pre-filled criteria can be found on the linked page. However, you should tailor the catalog to your specific requirements before using it.
Software requirements for an ISMS according to ISO 27001

7 Market overview

Overview of products:
Market Overview ISMS Software
ISMS Open-Source-Tools:
ISMS open-source tools

8 Tool reviews

Here you can find test reports on selected tools:
Test: Intervalid ISMS

9 Other resources

Overview of the ISO 2700x series of standards, free download
https://standards.iso.org/ittf...
The standard in the ISO shop
https://www.iso.org/standard/5...