What tools will I need to manage an ISMS, isms, information security management system, infosec management, infosec, infosecurity, infosecurity management sysitem, iso 27001, iso standards, international standards, ISO, iso

Tools to Manage an ISMS

This week’s top tip looks at a frequently asked question by organisations which are looking to comply or certify to ISO 27001, the International Information Security Standard – ‘what tools will I need to manage an information security management system (ISMS)’.

A big concern for many organisations is that implementing an ISMS will lead to additional cost, both in terms of software purchase and in manpower costs maintaining the documentation (policies, records, procedures).  “Do we need to purchase a bespoke ISO 27001 document management solution?” is a question we often encounter.

The simple answer to this question is no.  In a nutshell, we strongly believe that the secret to a successful ISO 27001 implementation is to build on what you already have, rather than to treat it as a discrete stand-alone project, requiring a discrete stand-alone solution.

In the process of planning, establishing and implementing the ISMS, you should try to maximise the document management tools already available within your organisation, e.g. SharePoint, Teams, Google Docs.

Any additional procurement should be justified with the business reason and the benefits it will bring. Whilst there are plenty of open source and proprietary tools offering ISMS management, the question you should be asking is whether there is a genuine business case for such tools, particularly at the early stage of implementation.

From the Standard’s perspective, there are no requirements that an organisation should employ any tools to manage its ISMS. The Standard is only prescriptive in defining what documentation “shall be created, maintained and retained”.

The vast majority of the 200-plus ISMS implementations URM has been involved in have been conducted without any specialised tools.  The only exception to this is in the area of risk management, where depending on the complexity of scope and availability of skilled in-house resource, organisations can benefit from a third party solution (e.g. Abriska).

Outside of risk management, the vast majority of requirements of the Standard can be met by using any text processing or spreadsheet applications and generic document management systems as referenced above.


Read “Introducing Abriska – What is it and why adopt it?”


How Abriska 27001 Delivers Effective Information Security Risk Assessment

Abriska 27001 has been specifically developed to enabled you to undertake an information security risk assessment that is both in line with the requirements of ISO 27001 but appropriate to the size and sector of your organisation. Abriska comes preloaded with all of the ISO 27001:2013 controls, example threat and vulnerability libraries and these items are linked to ensure that you’re able to start undertaking risk assessments straight away. Abriska has supported over 200 successful ISO 27001 certification projects.

How Abriska 22301 Delivers Effective BIA and Risk Assessment

Abriska 22301 has been specifically designed to satisfy these requirements in both a robust and repeatable manner, whilst allowing the organisation the flexibility to tailor each element of the tool to their specific needs. One of the most important aspects of a business continuity programme is the business impact analysis (BIA), through this process the business identifies the organisation’s key products and services, critical activities and required resources. Typically a BIA is conducted using multiple spreadsheets and supporting documents, so viewing all of these relationships requires the aggregation of information from multiple sources.

How Abriska 31000 Delivers Effective Risk Management

Abriska 31000 has been designed to be flexible to meet the requirements of different organisations. Abriska can be configured to incorporate the range of criteria that is used to assess risks, including:

  • categories of risk that need to be identified,
  • likelihood and impact scales,
  • risk matrices,
  • algorithms for calculating risk and risk appetite.

How Abriska 19011 Delivers Effective Audit Management

Through its experience of conducting both internal and external audits in a variety of disciplines (e.g. information security, business continuity) URM has developed an audit, finding and action management module within Abriska. Abriska 19011 enables an organisation to define a process and approach to conducting risk-based audit management and tracking all related findings and actions that result from the audit.
Abriska has been designed around the guidance within ISO 19011, the International Standard for Undertaking Audits against Management Systems. It can be applied to any management system such as quality (ISO 9001), information security (ISO 27001) or business continuity (ISO 22301).

How Abriska 27036 Delivers Effective Supplier Risk Management

Abriska 27036 is designed and pre-mapped to provide you with an automated method of conducting supplier information security risk assessments, allowing you to define the level of granularity based on the risks that suppliers pose to your organisation and the information the suppliers have access to. Abriska 27036 also minimises the administrative overhead of sending security assessment questionnaires to multiple suppliers. Abriska 27036 achieves this by:

  • Enabling a single register of all third parties and suppliers to be captured
  • Categorising each supplier based on the services they provide to your organisation and the potential risk they pose
  • Establishing a level of priority based on the information the third party has access to
  • Managing the questionnaire administration process with email notifications and reminders until they are completed, online and directly into the central database
  • Clearly reporting the risks associated with each supplier based on your risk appetite, enabling you to make informed decisions and be in a position to discuss and track any risk treatment actions necessary for any specific supplier.