ISMS Tool in Practice: When SharePoint and 47 Excel Files Count as a Solution

"Show me your ISMS tool." This sentence comes up regularly in client conversations. The answer is often a SharePoint folder with 47 Excel files – and yes, there is a login for it. Provocative? Perhaps. But honest.

The underlying question is not malicious, but fundamental: What distinguishes a genuine ISMS tool from a well-organized filing system? And when does investing in specialized software truly pay off?

The Problem with Excel-Based ISMS Solutions

Excel is a powerful tool. But it was not built for the continuous management of an information security management system. In practice, this shows up in concrete symptoms: controls and tasks exist side by side rather than being linked. Evidence is gathered manually rather than arising from the process itself. Roles and responsibilities are documented but not operational. And the audit becomes an exceptional event rather than a routine export.

The core point: when daily work consists of filling checkboxes and manually generating evidence, you are paying for documentation – not for governance. That is an important distinction.

When an ISMS Tool Truly Delivers Value

An ISMS tool only delivers genuine value when it brings operations and controls together. This sounds abstract, but it can be anchored in four concrete criteria: tasks and controls are structurally linked, not just loosely assigned. Evidence arises from the process itself, not through after-the-fact copy-pasting. Governance steers operations rather than just managing checkboxes. And an audit is an export, not a special project that consumes weeks of effort.

These four properties distinguish a governance instrument from a document repository. If a proposed ISMS tool does not meet these criteria, the question is legitimate: what advantage does it offer over a well-maintained Excel spreadsheet?

Asking the Right Questions During Tool Demos

When evaluating ISMS tools, it pays to ask specifically about critical functionality rather than feature breadth. How does the linkage between a control and its associated tasks and owners work? How is the audit trail generated – automatically or manually? What happens when a control changes: is it actively propagated through the system, or does someone have to manually update related items?

And one question that has proven valuable in conversations: "What was the most absurd ISMS feature sold to you as innovation in a demo?" The answers are revealing – they show what experiences other mid-market IT decision-makers have already had.

ISMS in Ongoing Operations: What That Really Means

An ISMS in ongoing operations means: roles, tasks, evidence, and risk – every day. Not once a year for the audit, not quarterly for the management review, but continuously as part of normal operational workflows.

That requires a tool capable of supporting this ongoing operation – with clear responsibilities, automatic reminders, transparent escalation paths, and an evidence structure that emerges from operations themselves.

Conclusion: The Tool Test Starts with an Honest Assessment

For mid-market companies considering an ISMS tool, an honest assessment of the current state is the right starting point: what does the current tool or solution actually deliver – genuinely? Where do manual efforts arise that could be avoided through better integration? And what requirements are coming in the next twelve months – NIS-2 audit, ISO 27001 certification, external due diligence?

The answers to these questions show whether a tool change makes sense, or whether the organizational foundations need to be strengthened first. Because the best tool delivers no value in an organization that has not yet defined clear roles, responsibilities, and processes.