Using ISO 27001 online software vs. documentation templates

When you start your ISO 27001 project, you have to make some very important decisions – one of those decisions is if you’re going to use a consultant. If you decide not to use one (which is a trend lately), then you have to decide what kind of online support you can get for your implementation.

Basically, you have two types of providers that offer support for ISO 27001 implementation: those who offer documentation templates, and those who offer ISO 27001 online software for handling the project.

Documentation templates for ISO 27001

Usually, these kinds of websites offer policies, procedures, plans, reports, and other documents and records that are mostly completed, where the user needs to fill out the rest of the document, and in such way adapt the documentation for their own needs.

These templates can be downloaded and edited/adapted to the needs of a particular company – the advantage is that, in most cases, they are really easy to use, and they cover all the mandatory and commonly used documents for ISO 27001.

The biggest problem with such solutions is that they are difficult to use for activities where continuous changes are needed – e.g., risk management, customer complaints, incidents, internal audits, etc. For smaller companies, using Word or Excel documents for such purpose might work, but even then it takes too much time. In other words, maintenance of the management systems brings some challenges when using the templates only.

Using ISO 27001 online software vs. documentation templates - Advisera

ISO 27001 online software

These online software solutions are, in fact, Software-as-a-Service (SaaS), and they usually offer risk management, incident management, handling of customer complaints, etc. Some of these software solutions also offer document management (so that you can distribute and control your documentation), project management (so that you can run your whole ISO 27001 implementation project through it), and also collaboration (so that project members can use it for messaging and coordination).

The advantages of such online software are that, unlike software that has to be downloaded and installed, using the SaaS solution requires you only to log into your account in the cloud. Further, they enable multiple users from the same company to collaborate on a project.

The disadvantage of most of these online tools is that they usually focus on ISO 27001 functionalities, but they do not offer the documentation (i.e., policies, procedures, plans, etc.) that need to be produced as part of the ISO 27001 implementation project.

The blended approach

When we developed Conformio, we opted for a blended approach – this means that we decided to merge documentation toolkits and online tools into a single SaaS solution.

In the image below, you can see what Conformio’s user interface looks like.

You navigate through Conformio mostly by using the left sidebar. You can select the “ISO 27001 main steps,” which leads you to the core of your IOS 27001 implementation, or check the documents in Conformio by clicking on the Documents section.

In the Registers and Modules section you will have access to the Incidents Register, Internal Audits Module, Nonconformities Module, Risk Register, Statement of Applicability Module, and others. The Reporting dashboard gives you an overview of the ISO 2700 implementation project, as well as compliance status and the compliance performance of your company.

The Responsibility Matrix provides an overview of all tasks and responsibilities required for the ISO 27001 project and, in My Work, you will have a view of all your responsibilities in Conformio.

Conformio interface with quick access to ISO 27001 steps, Registers and Modules, Documents, My Work and more
Figure 1. Conformio interface with quick access to ISO 27001 steps, Registers and Modules, Documents, My Work and more

We believe that with such an approach it is much easier for project members to collaborate in order to complete the initial implementation of ISO 27001; but, at the same time, it enables them to maintain their management system with much less effort.

Additionally, based on parameters you define in your documentation, Conformio will build schedules for activities needed to implement and maintain ISO 27001. With this Responsibility Matrix, in which all activities have their clear owners and due dates, the risk of missing a recurrent activity (e.g., document review, risk assessment and risk treatment update, internal audit, etc.) is decreased. Furthermore, anyone with access to Conformio can have a systemic view of all responsibilities he/she has to fulfill.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal