I was wondering if anyone could recommend a 'cheap' (under $50,000 AUD) 'ISO 27001 / ISMS' software for managing our ISMS? Alternatively, can anyone recommend a 'CyberSecurity Risk Management Software'?
Our primary reasons for needing this software is to use it to undertake, track and manage information security risk assessments. Secondary reasons include an asset register, central repository for our Statement of Applicability, Document Control Register, Security Calendar and to track ISMS Surveillance Audits (but we can manage a lot of that using excel spreadsheets if needed).
I have already looked at a few products, including:
Cyber Security Evaluation Tool (CSET - Homeland Security).
There are other products that are outside of our price range such as RSA Archer and Service Now GRC.
I have no doubt there are others that I have missed. Feel free to add to this list.
Don't get fooled by fancy GRC products. Most we give you the software for nothing. Then you will spend the next 3 years and 10 FTEs "customizing" it for your organization. I love Open IT GRC, which has regular releases and strong community support. It comes a a VM image which makes deployment easy. Another perennial favorite is Google's GGRC (here).I have also seen other supporting tools to capture IT processes combined with it to make give the commercial tools a run for their money.
Thank you very much for your response, I really appreciate it and it was very helpful.
Since your post, I have started to investigate Eramba/OpenGRC - it looks amazing! I am going to spin up a dev/test environment (I tried the online demo).
I had a look at googles GGRC. I am really keen to look at this as well (it looks like I will have to download Docker for windows). I can only find the github site with the code, is there a dedicated support site? I googled images and videos of GGRC (just to see what the interface looked like) but it does not come up with much.
I will have a play around with it tomorrow.