Published under Risk Management

Smart Information Security Management System (SISMS)

Tool Identity Card

General information
Basic information to identify the product

Tool name : Smart Information Security Management System (SISMS)
Country of origin : Turkey

Level of reference of the tool
Details about the coverage or the « originators » of the solution

Coverage : World-wide (sector oriented)
Supported by organization, club,... (e.g. as sponsor) : Technical research support is provided by TUBITAK (Turkish Scientific and Technical Researches Institution)

Brief description of the product
Give a brief description of the product containing general information, overview of functions…

  • SISMS is a full scope information security management system software package which uses an expert system in general for establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management. It provides to apply the international standard ISO 27001 (2005) in organizations easily. The system checks the organization's network including all the hardware assets and operational information of the assets (type, operating systems, specifications, activity and efficiency, utility etc.). System determinates the open or filtered TCP and UDP ports and the versions of the services running on open ports. Additionally it provides the network map of the organization. It's the critical success factor of the SISMS controlling the user access, system and network accesses. Basically the system has three main functions such as network monitoring as mentioned above, text based applications for establishing the other modules for defining the requirements and actions to be taken according to ISO 27002 (2005) and smart applications to determine present security state of the organization. The SISMS modules are listed below;

    Inventory manager (including asset evaluation): All the information assets of the organization on network are automatically determined, classified according to the categorization and registered by this the module.

    Resource manager: The hardware assets on network are traced and monitored by this module. Reports including detailed information about active devices.

    Vulnerability manager: This module helps the information security expert in determining the vulnerabilities and matching these with all the information assets of the organization.

    Current security state determiner: This module determines the current security state of the organization according to the standard controls defined in ISO 27001. In this module each control is converted to an easily understandable question.

    Risk manager: The purpose of this module is to evaluate the risks for each information asset according to vulnerabilities and threats. The risk evaluation is performed by using five different methods included in ISO 27001 and ISO 27005.

    Protector: This module provides to determine if the required protections are applied for information assets' risk values are decreased to an acceptable level.

    Reporter: All the mandatory documens for ISMS are produced by this module as templates or documents in MS Office formats.

    ISMS process viewer: This module views the whole system and compliance with ISO 27001 in all phases. The module also provides senior management to view the system security.

Supported functionality
Specify the functionality this tool provides.

R.A. Method activities supported

  • Risk identification : For an efficient risk identification, the text base application modules in SISMS collects all input data such as identification of assets, threats, existing controls, vulnerabilities for the risk estimation activity.
  • Risk analysis : After the risks are identified, Risk Manager module uses five different qualitative and one quantitative estimation methodologies.
  • Risk evaluation : Risk Manager module compares the level of risk against risk evaluation criteria and risk acceptance criteria automatically.

Other phases

  • Asset inventory & evaluation - Inventory Manager module has the ability to collect all the information about the assets at a suitable level on network automatically. Other assets also can be added to the inventory manually. Than the evaluation process takes place.

R.M. Method phases supported

  • Risk assessment: Risk Manager Module processes risk analysis and risk evaluation activities iteratively in SISMS.
  • Risk treatment : In SISMS, a list of risks prioritized according to risk evaluation criteria is given and related controls are merged to reduce, retain, avoid or transfer the risks.
  • Risk acceptance : Risk Manager Module collects the appropriate data for residual risk assessment and helps the acceptance decision of management.
  • Risk Communication : The information about the risks can easily be shared between the authorized users of SISMS for risk management purposes.

Other phases

  • N/A

Other functionality

  • Determination of the security state of the Organization : First of all the SISMS applies a test to the user to determine the initial security state of the organization. The result of the test is evaluated by a smart application running under clips which are improved particularly in situations with numbers of facts/instances created according to the rules defined in ISO 27002 standards to meet the security requirements.
  • Documentation : Any types of document can be uploaded or downloaded in SISMS to fulfill the documentation requirements.

Information processed

  • SISMS information : SISMS information is consist of the asset information of organization and ISO 27001 requirements, controls, rules, processes and procedures.

Date of the first edition, date and number of actual version

Date of first release : R1 March 2011
Date and identification of the last version : R1 March 2011

Useful links
Link for further information

Official web site :
User group web site : N/A
Relevant web site : N/A

List the available languages that the tool supports

Languages available : English,Turkish

Pricing and licensing models
Specify the price for the product (as provided by the company on March 2012)

  • Price:22.000$
  • Maintenance: N/A

Sectors with free availability or discounted price : N/A

Trial before purchase
Details regarding the evaluation period of the tool

CD or download available : Yes
Identification required : Yes
Trial period : 30 days

Tool architecture
Specify the technologies used in this tool

  • Database: MS SQL Server 2008 R2 is used for the purposes listed below;
    1.SISMS tables,
    2.Tables used for content management,
    3.Database for user authentication and authorization.
    SISMS tables are consist of tables related with information security, CLIPS expert system tables and tables for network management. Content management tables are used for web pages. Tables for user authentication and authorization are used to manage user authentication management with ASP.NET.
  • Web server: MS IIS
  • Application Server: MS Server 2008 is used for web based application.
  • Client: Any client

Page top


Target public
Defines the most appropriate type of communities for this tool

  • Government, agencies
  • Large scale companies
  • SME
  • Commercial CIEs
  • Non Commercial CIEs

Specific sector : N/A

Information concerning the spread of this tool

General information : World-wide in many different organizations
Used inside EU countries : Yes
Used outside EU countries : Yes

Level of detail
Specify the target kind of people for this tool based on its functionality

Management : Management part of SISMS consists of;Project Management, Vulnerability Management, Rule Management and Control Management sections. These modules collects data to constitute a directive for the operational processes of the tool.
Operational : Risk, Resource, Inventory, Documentation Managers and Security State Determination module are the operational part of the SISMS. At this stage a smart application consist of CLIPS expert system is used to determine the present security state of the organization. Here, both the requirements of the organization according to the controls included in ISO 27001 and the rules that should be applied to fulfil those requirements according to ISO 27002 are defined automatically.
Technical : Technically Security State Determination module determinates the open or filtered TCP and UDP ports and the versions of the services running on open ports. Additionally it provides the network map of the organization. It's the critical success factor of the SISMS controlling the user access, system and network accesses.

Compliance to IT Standards
List the national or international standard this tool is compliant with

  • ISO 27001
  • ISO 27002

Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard

  • ISO 27001 (2005) Information Technology-Security techniques-Information security management systems-Requirements - The general purpose of the tool is to provide ISO 27001 certification to the organization by establishing, implementing, operating, monitoring, reviewing, maintaining and improving information security management.

Information about possible training courses for this tool

  • Course : SISMS Usage
    Duration : 5 days
    Skills : IT personnel are preferred
    Expenses : Webinar (No expenses)

Page top

Users viewpoint

Skills needed
Specify the skills needed to use and maintain the solution

  • To install : Tool will be deployed by the manufacturer
  • To use : Preferably IT personnel after 5 days training
  • To maintain : Tool can be maintained only by the manufacturer due to the feedback from end-users

Tool Support
Specify the kind of support the company provides for this product

Support : The manufacturer provides on-site support

Organization processes integration
Describe user roles this tool supports

Supported Roles

  • N/A

Intergration in Organization activities

  • N/A

Interoperability with other tools
Specify available interfaces or other ways of integration with other tools


  • Monitoring system to identify and resolve IT infrastructure problems before they affect critical business processe : Nagios
  • Network exploration and security auditing : Nmap

Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides

  • N/A

Flexibility of tool's database
Can the database be customized and adapted to client requirements?

  • N/A

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more