It is important to invest internal resource time into the ISMS otherwise it will not be fit for the purpose to meet your stakeholder’s needs.
How to consider the core competences, costs & opportunity costs?
However, there is no need to develop the technology solution, unless it is considered a core competence of the firm and resources are on the bench waiting to be utilised.
Some hi-tech technology ISMS solutions cost millions of pounds to build and years to get fit for purpose.
Even lower tech solutions developed with SharePoint or Google folders and files could take weeks or months to bring alive:
- to understand what is required
- to design it
- to implement it
- to manage it
- to keep it updated
All that time may be invested whilst:
- not directly meeting stakeholder expectations
- not achieving all 10 characteristics detailed earlier
- not actually contributing to the business goals behind the ISMS
If you run your sales, accounting and other key business systems using excel sheets and word docs, relying on emails and folders for sharing, then you’ll probably want to do the same here.
If you are however serious about information security and privacy, you’ll want to show that too with a professional platform in the same way that Salesforce.com. Xero etc deliver for their target audience. Sheets, docs, emails have a role in the ISMS like they do in sales and accounting solutions, but they are not the only thing you need for success.
If your organisation looks at Xero, SAP, Pipedrive, Salesforce.com, MailChimp, Microsoft Office etc and still builds its own hi-tech internal solutions for those areas then you may want to also build your own ISMS too.
If you are considering low-tech or hitech build of the ISMS yourself, ask yourself what the organisation’s business is and whether that is part of your core business. Is the hourly rate of the resource involved likely to be better focused on the day job?
Even if the organisation develops software for a living, is the time better invested in your core products and services where that may achieve a better return?
Given affordable ISMS solutions exist in the market already, off the shelf, to meet the 10 characteristics, there are only a few reasons why you would want to build one yourself:
• Significant complexity or sensitivity in your organisation information or practices
• Technologies already in place that can be suitably ‘bent’ to reflect stakeholder goals
• Funding constraints (although even these can be overcome with payment on use and affordability models from some ISMS professional solution vendors)
• A desire to enter the ISMS products and services market yourself
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
You can download it now to share with colleagues or work through the considerations online using the index below.
The key considerations when building the business case for an ISMS?
- 1Building the business case for an ISMS
- 3The Challenge is Growing
- 4Three Reasons Why Nothing Happens
- 5Planning the business case for an ISMS
- 6A Point on People
- 7In Considering The Technology
- 8What is an ISMS?
- 9Understanding the Components of an ISMS
- 10The People Involved in the ISMS
- 11Why Do Organisations Need An ISMS?
- 12Is Your Organisation Leadership Ready to Support an ISMS?
- 13Developing the Business Case for an ISMS
- 14Achieving Returns from the Threats and Opportunities
- 15Stakeholder Expectations for the ISMS given their Relative Power and Interest
- 16Scoping the ISMS to Satisfy Stakeholder Interests
- 17GDPR Focused Work
- 18The Return on Investment from Information Security Management
- 19Doing Other Work for Broader Security Confidence & Assurance with Higher RoI
- 20Build or Buy – Considering the Best Way to Achieve ISMS Success
- 21The characteristics of a good technology solution for your ISMS
- 22Whether to Build or Buy the Technology Part of the ISMS
- 23The Core Competences of the Organisation, Costs and Opportunity Costs
- 24Evaluating The Threats
- 25Identifying The Opportunities
- 26Work To Get Done for ISO 27001
- 27In Conclusion