ISMS Business Case Builder – Whether to Build or Buy the Technology Part of the ISMS

Pros

• Avoids most cyber and digital oriented risks

Cons

• Does not meet 10 characteristics so may fail on powerful stakeholder expectations
• Unlikely to be something anyone seriously considers even within the most sensitive of workplaces
• Will likely cost large amounts to maintain and demonstrate compliance against

• Perceived as free or low cost

• Will be unable to easily meet the scope of all jobs to get done
• Does not meet 10 characteristics so may fail on powerful stakeholder expectations
• Time required to understand, design, architect, implement and maintain the ISMS structure for all users of it
• Higher total cost over life than off the shelf solutions when considering all jobs to get done
• Reliance on the person/s who built it to keep it organised and updated as standards change
• Unlikely to be a core competence of the organisation to build an ISMS

• Built to exactly what you want to achieve and the way you want to work
• Great if you have very sensitive information management constraints and working practices that other off the shelf solutions are unable to address

• Likely to cost significantly more and take much longer than solutions already in the market in order to meet 10 characteristics
• May distract from core competences and cause significant opportunity costs in other parts of the organisation if using limited resources
• May mean inability to meet compelling events or deadlines for achieving actual ISMS business goals
• Cost of maintaining and improving will be much higher than off the shelf solutions as new standards and regulations emerge (developing for one customer not many)

• Use alongside personal and basic sharing tools e.g. documents and spreadsheets
• Pick and mix best of breed technologies with cheap / perceived free solutions

• Unlikely to meet 10 characteristics so may fail on powerful stakeholder expectations
• Cost of security, coordination, search, integration, contracting and maintaining versions are almost certainly outweighed by an all in one place service
• Enhancements in one application do not mean overall ISMS improvement and could make things harder if a vendor releases new features that exist in the other applications

• More likely to meet 10 characteristics and satisfy powerful stakeholders
• Easy to get going quickly with lower costs of contracting, start up and implementation
• Use alongside personal and basic sharing tools e.g. documents and spreadsheets
• Enhancements and new releases to parts of the ISMS also improve the whole system performance

• All in one packaged solution may not meet the needs of some experts who have a particular way of working (unless custom/bespoke development is undertaken)

• Context
• A growing challenge
• Three reasons why nothing happens
• The return on investment from information security management
• A point on people
• In considering the technology
• What is an ISMS?
• What are the components of an ISMS?
• Why do organisations need an ISMS?
• Is your organisation leadership ready to support an ISMS?
• Developing the business case for an ISMS
• Benefits to realise – Achieving returns from the threats and opportunities
• Evaluating the threats
• Identifying the opportunities

• Stakeholder expectations for the ISMS given their relative power and interest
• Scoping the ISMS to satisfy stakeholder interests
• GDPR focused work
• Doing other work for broader security confidence and assurance with higher RoI
• Work to get done for ISO 27001:2013/17
• Build or buy – Considering the best way to achieve ISMS success
• The people involved in the ISMS
• The characteristics of a good technology solution for your ISMS
• Whether to build or buy the technology part of the ISMS
• The core competences of the organisation, costs and opportunity costs
• In conclusion