The articles cover:
 
  • Help, so many vendors and so many ISMS tools to choose from ?!
  • What are the differences between the programs?
  • What is the best ISMS software?
  • How do I find a reliable and fair provider?
  • What criteria do I use to select a provider and tool?
  • How do I make a professional tender?
  • How do I get confidence in my tool decision?
Relevant for:
IT managers and project managers tool selection
.

There are numerous standard products available for implementing an information security management system according to ISO 27001 (see link to our market overview below). Although they serve the same purpose in functionality, i.e. the mapping of an ISMS, the offers can differ substantially from each other in other aspects, e.g. in the configurability, in the type of provision or in questions of cooperation with the provider. These points must flow into the selection just like the price, so that you decide in the end for the Tool, which fulfills your specific basic conditions and requirements best. This page is designed to assist you in this selection process.

Content

1 How does an ISMS according to ISO/IEC 27001 work?

2 Does it also work with Excel?

3 What are the functions of ISMS software?

4 What are the differences between the tools on the market?

5 How do I find the right software for me? The tender

6 Market overview

1 How does an ISMS according to ISO/IEC 27001 work?

The ISO/IEC 27001 standard defines a management system for systematically establishing, monitoring and continuously improving a high level of information security within an organization. This is done with the help of coordinated elements such as organizational structures, guidelines, processes and procedures. The approach is based on the concerns of the organization and on the specific risks to which the organization's information security is exposed.

In the core, a corresponding structure is built up by first defining the scope. Within the scope, the assets are recorded, which are differentiated according to primary assets and supporting assets. Primary assets are business processes and information, while supporting assets are where business processes run and information resides, such as hardware, software, network components, personnel, buildings, rooms. The relationships between the assets are also modeled, an example: a business process contains order information (information asset), it uses an application (software), this runs on a server (hardware) and the server is located in a room.

The need for protection is then determined for each primary asset as part of a business impact analysis (BIA). To do this, the individual protection goals are considered - often Confidentiality, Integrity, Availability (CIA) - and the question is discussed of what impact a loss would have on the asset under consideration. Example: What would be the consequences of losing confidentiality in the payroll application? Different categories of impact can be considered, such as violation of laws or image damage. The possible impacts identified in this way are inherited along the relationships to the supporting assets. Multiple streams incoming to an asset are usually combined according to the maximum principle.

In the risk analysis, which is normally based on the ISO 27005 standard, the impacts are now compared with the hazards resulting from threats and matching vulnerabilities, which are assessed with a probability of occurrence, including existing measures if necessary. In each case, this results in a concrete risk that must be dealt with. The basis is the choice of risk strategy: reduce, transfer, accept or avoid.

Accordingly, measures are now defined, which are usually derived from the controls in Annex A of the ISO 27001 standard. The measures must now be implemented and progress must be tracked. Reviews and audits can be used to evaluate the effectiveness of the ISMS.

See also:

Overview of the ISO 2700x series of standards, free download
https://standards.iso.org/ittf/PubliclyAvailableSt...
The standard in the ISO shop
https://www.iso.org/standard/54534.html

2 Does it also work with Excel?

Is special software required for an ISMS or can the structures also be set up with Excel? Yes, in simple cases it also works with an Excel spreadsheet. After all, each structural element in itself is a list that can be packed perfectly into an Excel worksheet, for example the asset inventory. However, the difficulties arise at the points where you have to link the individual elements together, starting with the relationships between the assets. Here, a spreadsheet offers only limited possibilities to maintain the consistency of the data, which must be compensated by the user through diligence and discipline. This is still acceptable in simple cases, but with extensive structures it quickly becomes a Sisyphean task.

In addition, there is the rigid layout of rows and columns, which is impractical when merging multiple structural elements. The assets themselves can be perfectly arranged in a table. But if the risks are to be listed under each asset and the controls as well, then it quickly becomes confusing, either because a column has to be used for different contents and these are all displayed in the same width, which often does not fit. Or because the substructures are moved so far to the side that you permanently have to scroll horizontally.

Everything is somehow feasible, but above a certain size, the user must have a high tolerance for pain. The logical conclusion: tools are needed which keep the data consistent and which, at the same time, have expedient interfaces for conveniently capturing and linking the data → That is exactly what ISMS tools are. In addition to these basic functions, however, the applications also bring numerous other capabilities, which will be discussed in the next chapter.

3 What are the functions of ISMS software?

A typical ISMS software has many of the following functions and features:

Assets

  • Setup of an asset register
  • Differentiation between primary and supporting assets
  • Categorization and documentation of assets
  • Linking of assets to map usage relationships

Business Impact Analysis (BIA)

  • Assessment of the impact in case of violation of the protection goals
  • Inheritance of the protection requirements along the asset links
  • Calculation of protection needs for an asset in case of multiple incoming streams and possibility of manual overwriting

Risk analysis

  • Definition of the scope with the affected assets
  • User interfaces for the allocation of hazards to the assets and for their evaluation with regard to the probability of occurrence
  • Determination of the risk strategy, definition of measures and assessment of the residual risk
  • Possibility of analysis at different points in time
  • Supplied content: Hazard catalogs with threats and vulnerabilities
  • Supplied contents: Controls, e.g. Annex A of ISO 27001

Measures

  • Assignment of responsibilities and tasks
  • Tracking of progress or implementation

Document control

  • Storing and/or linking documents for policies, etc.
  • Approval process
  • Resubmission process

Audit and review support

  • Planning of audits and reviews
  • Determination of the subject areas
  • Documentation of results

Reporting

  • Statement of Applicability (SoA)
  • Risk Treatment Plan
  • Measures with implementation status
  • ...

Additional modules

  • Most products available on the market offer additional modules, e.g. data protection management, business continuity management, enterprise risk management

Technical functionalities

  • Multi-client capability
  • Authorization system
  • Interfaces
  • E-mail notification
  • LDAP/Active Directory connection
  • Single Sign On (SSO)

4 How do the tools differ from each other?

Due to the orientation on standards such as ISO 27001, the basic functionality of ISMS software products is similar. Nevertheless, the tools can differ significantly from each other, as the providers have different approaches and set their own priorities. Some aspects are listed below:

  • Installation in your own data center (on-premises) or use as a cloud service (Software as a Service - SaaS).
  • Native client or web interface?
  • Is a special platform required? (e.g. Confluence, MS Sharepoint)
  • Included content (threat catalogs, standards and controls)
  • Level of configurability
  • Level of customizability (consider release compatibility)
  • Specific functions (e.g. calculation of the resulting protection requirement, gross or net risk assessment)
  • Group suitability (e.g. decentralized asset recording and BIA, authorization system)
  • Automation options
  • Interfaces
  • Available add-on modules

One should not proceed blindly according to the motto "a lot helps a lot", because more functions can possibly make use and operation more complicated. Instead, you should determine what is actually needed in your own organization, and of course also take a look into the future and derive your concrete requirements for a tool from this.

5 How do I find the right software for me?
The tender

This guide provides step-by-step instructions for tool selection. It describes a basic procedure with project initiation, project planning, general concept, tender, selection and decision, which you can adapt to your situation.

Our guide covers the following points:

  • Project initiation
  • Definition of requirements
  • Tool selection and contract agreement

Selection of an ISMS tool

5.1 Project initiation

This includes points like:

  • Clarify current status and problems
  • Describe solution approach
  • Developing benefits for the organization
  • Clarify basic willingness and ability to carry out such a project
  • Clarify goals and scope
  • Perform initial market screening
  • Define target state
  • Putting together a rough concept
  • Create project plan
  • Review
  • Prepare a decision and submit it for approval

Resources

5.2 Definition of requirements

To find the ISMS software that best suits your needs, you should first work out the general conditions of your organization and the general requirements for such a tool. This will lead you to important considerations, the extract will flow into the criteria and test catalogs you will use in tje selection process.

Resources

5.3 Tool selection and contract agreement

This includes tasks like:

  • Create Longlist
  • Planning of process
  • Obtain information from product suppliers
  • Supplier presentations
  • Create Shortlist
  • Proof of concept
  • Trial version
  • Narrow down suppliers
  • Offer presentations
  • Negotiations
  • Decision & approval for procurement and tool introduction
  • Contract conclusion

Resources

6 Market overview

Overview of products:
Market Overview ISMS Software

ISMS Open-Source-Tools:
ISMS open-source tools