What are the technology options for the ISMS?
Broadly speaking there are 5 ‘build or buy’ options for the solution and these are:
- Build your own no-tech paper-based solution
- Build your own low-tech solution – Email, sheets, docs, shared folders (personal & basic sharing tools)
- Build (or commission) your own hi-tech specialist software technology solution
- Buy off the shelf professional standalone applications to do specific ISMS jobs
- Buy off the shelf professional all in one place ISMS
It’s pretty obvious from what ISMS.online offers that we would recommend option 5 – but the other paths all have Pros and Cons which we’ve summarised below.
Build your business case for an ISMS
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
1. Build your own no-tech paper-based solution
Pros
- Avoids most cyber and digital oriented risks
Cons
- Does not meet 10 characteristics so may fail on powerful stakeholder expectations
- Unlikely to be something anyone seriously considers even within the most sensitive of workplaces
- Will likely cost large amounts to maintain and demonstrate compliance against
2. Build your own low-tech solution – Email, sheets, docs, shared folders (personal & basic sharing tools)
- Perceived as free or low cost
- Will be unable to easily meet the scope of all jobs to get done
- Does not meet 10 characteristics so may fail on powerful stakeholder expectations
- Time required to understand, design, architect, implement and maintain the ISMS structure for all users of it
- Higher total cost over life than off the shelf solutions when considering all jobs to get done
- Reliance on the person/s who built it to keep it organised and updated as standards change
- Unlikely to be a core competence of the organisation to build an ISMS
3. Build (or commission) your own hi-tech specialist software technology solution
- Built to exactly what you want to achieve and the way you want to work
- Great if you have very sensitive information management constraints and working practices that other off the shelf solutions are unable to address
- Likely to cost significantly more and take much longer than solutions already in the market in order to meet 10 characteristics
- May distract from core competences and cause significant opportunity costs in other parts of the organisation if using limited resources
- May mean inability to meet compelling events or deadlines for achieving actual ISMS business goals
- Cost of maintaining and improving will be much higher than off the shelf solutions as new standards and regulations emerge (developing for one customer not many)
4. Buy off the shelf professional standalone applications to do specific ISMS jobs
- Use alongside personal and basic sharing tools e.g. documents and spreadsheets
- Pick and mix best of breed technologies with cheap / perceived free solutions
- Unlikely to meet 10 characteristics so may fail on powerful stakeholder expectations
- Cost of security, coordination, search, integration, contracting and maintaining versions are almost certainly outweighed by an all in one place service
- Enhancements in one application do not mean overall ISMS improvement and could make things harder if a vendor releases new features that exist in the other applications
5. Buy off the shelf all in one place ISMS
- More likely to meet 10 characteristics and satisfy powerful stakeholders
- Easy to get going quickly with lower costs of contracting, start up and implementation
- Use alongside personal and basic sharing tools e.g. documents and spreadsheets
- Enhancements and new releases to parts of the ISMS also improve the whole system performance
- All in one packaged solution may not meet the needs of some experts who have a particular way of working (unless custom/bespoke development is undertaken)
We’re more affordable than you’d think
What are the key considerations when building the business case for an ISMS?
- Context
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise – Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- Build or buy – Considering the best way to achieve ISMS success
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion