Show Me Your ISMS Tool: Why 47 Excel Files Are Not a Management System
When Your ISMS Tool Is a SharePoint Folder
It sounds like an anecdote, but it is everyday reality in many mid-sized companies: you ask to see the ISMS tool and are presented with a SharePoint folder containing dozens of Excel files. There is a login, though it serves more as a symbolic gesture than a functional access control. What appears to be a pragmatic solution at first glance reveals a fundamental misunderstanding of what an information security management system needs to deliver.
The question is not whether a company has documents. The question is whether those documents are part of a living system that actively governs security rather than merely documenting it.
Documentation Is Not the Same as Governance
Many organizations confuse the existence of policies and checklists with a functioning management system. The difference, however, is significant: an ISMS as defined by ISO 27001 is not a filing system. It is an operational governance instrument that identifies risks, assigns measures, verifies their effectiveness, and enables continuous improvement.
When the daily work consists of ticking boxes in Excel spreadsheets and manually compiling evidence through copy-paste, the company is paying for documentation, not for governance. And this is precisely the problem: the investment in tools and processes creates a sense of security that has little to do with the actual security posture.
How to Recognize an Effective ISMS Tool
An ISMS tool only delivers real value when it actually brings operations and controls together. In practical terms, this means that tasks and controls are linked to each other rather than just loosely assigned. Evidence is generated directly within processes, not through after-the-fact copy-paste from various sources. Governance actively steers ongoing operations instead of merely managing checkboxes. And an audit is a standardized export, not an exceptional event requiring weeks of preparation.
These criteria sound obvious, yet they are surprisingly rarely met in practice. Often the failure is not with the tool itself but with the lack of integration into day-to-day business operations. An ISMS tool that exists alongside daily work rather than being part of it will always remain a foreign element.
ISMS in Regular Operations: More Than a Project
Information security is not a project with a beginning and an end. It is an ongoing operation with clear roles, defined tasks, traceable evidence, and continuous risk assessment. Every single day. Organizations that take this seriously must evaluate their ISMS tool based on whether it supports this continuous operation or merely maintains the illusion of it.
The decisive question for IT decision-makers in mid-sized companies is therefore not which tool offers the most features. It is which tool ensures that security measures are actually lived, that responsibilities are clearly assigned, and that proof can be provided to auditors, customers, and the board at any time.
The Bottom Line: The Advantage Over Excel Must Be Tangible
If an ISMS tool offers no recognizable advantage over a well-maintained Excel spreadsheet in daily operations, something is wrong. The value must lie in operational governance, not in the user interface. Companies facing the decision for or against an ISMS tool should ask themselves one simple question: does this tool help me actually manage security, or does it only help me pretend that I do?
The answer to this question determines whether the investment in an ISMS tool is a step toward genuine cyber resilience or just another line item in the IT budget that achieves very little.