ISMS Business Case Builder – Whether to Build or Buy the Technology Part of the ISMS

Pros

• Avoids most cyber and digital oriented risks

Cons

• Does not meet 10 characteristics so may fail on powerful stakeholder expectations
• Unlikely to be something anyone seriously considers even within the most sensitive of workplaces
• Will likely cost large amounts to maintain and demonstrate compliance against

• Perceived as free or low cost

• Will be unable to easily meet the scope of all jobs to get done
• Does not meet 10 characteristics so may fail on powerful stakeholder expectations
• Time required to understand, design, architect, implement and maintain the ISMS structure for all users of it
• Higher total cost over life than off the shelf solutions when considering all jobs to get done
• Reliance on the person/s who built it to keep it organised and updated as standards change
• Unlikely to be a core competence of the organisation to build an ISMS

• Built to exactly what you want to achieve and the way you want to work
• Great if you have very sensitive information management constraints and working practices that other off the shelf solutions are unable to address

• Likely to cost significantly more and take much longer than solutions already in the market in order to meet 10 characteristics
• May distract from core competences and cause significant opportunity costs in other parts of the organisation if using limited resources
• May mean inability to meet compelling events or deadlines for achieving actual ISMS business goals
• Cost of maintaining and improving will be much higher than off the shelf solutions as new standards and regulations emerge (developing for one customer not many)

• Use alongside personal and basic sharing tools e.g. documents and spreadsheets
• Pick and mix best of breed technologies with cheap / perceived free solutions

• Unlikely to meet 10 characteristics so may fail on powerful stakeholder expectations
• Cost of security, coordination, search, integration, contracting and maintaining versions are almost certainly outweighed by an all in one place service
• Enhancements in one application do not mean overall ISMS improvement and could make things harder if a vendor releases new features that exist in the other applications

• More likely to meet 10 characteristics and satisfy powerful stakeholders
• Easy to get going quickly with lower costs of contracting, start up and implementation
• Use alongside personal and basic sharing tools e.g. documents and spreadsheets
• Enhancements and new releases to parts of the ISMS also improve the whole system performance

• All in one packaged solution may not meet the needs of some experts who have a particular way of working (unless custom/bespoke development is undertaken)