What is an Information Security Management System (ISMS) according to ISO 27001?

Updated: May 31, 2022.

If you’ve started an  ISO 27001 implementation, you’ve surely come up with the term Information Security Management System or ISMS. Pretty vague term, isn’t it? And yet, the ISMS is the main “product” of ISO 27001 implementation. In the simplest terms, an Information Security Management System (ISMS) is a set of rules that a company needs to establish to maintain security across the enterprise. Nevertheless, one may still ask, what exactly is an ISMS in ISO 27001, and how do you set the ISO 27001 ISMS policy?

What is an Information Security Management System in ISO 27001?

ISO 27001 basically describes how to develop the ISMS.

You can consider this ISMS to be a systematic approach for managing and protecting a company’s information.

What are the components of ISMS in ISO 27001?

When implementing your ISMS, you surely need to know how to correctly establish each ISO 27001 ISMS policy or procedure. The Information Security Management System represents a set of policies, procedures, and various other controls that set the information security rules in an organization. Holistically, the objectives of these components include the following:

1. identify stakeholders and their expectations of the company in terms of information security
2. identify which risks exist for the information
3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
4. set clear objectives on what needs to be achieved with information security
5. implement all the controls and other risk treatment methods
6. continuously measure if the implemented controls perform as expected
7. make continuous improvement to make the whole ISMS work better

This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.

How does an ISMS work in ISO 27001?

As mentioned in the article The basic logic of ISO 27001: How does information security work, what kind of control for information security will be implemented in a company is decided based on the results of the risk assessment and on the requirements of interested parties. For each risk that needs to be treated, a combination of different types of controls will be implemented.

Several controls are needed for each risk

Let’s say you leave your laptop frequently in your car, so chances are, sooner or later, the laptop will get stolen. So, what can you do to decrease the risk to your information? So, you have to apply some controls. First, you can write a procedure that defines that you cannot leave the laptop in the car; also, you can protect your laptop with a password, so if it gets stolen it will be more difficult for someone to access your information. Also, you can encrypt your disks – this is an even higher level of protecting your information, but also you can ask your employees to sign a statement where they oblige to pay all the damage that can occur if such an incident happens, but also you have to train and make your employees aware that there are such risks if they leave their laptops in their cars.

Managing complex security systems

The only way to manage all these safeguards is to set clear security processes and responsibilities. This is called a process approach in ISO management standards – in ISO 27001, but also in ISO 9001, ISO 20000, and others. If we take ISO 9001 as an analogy, the idea is the following: you cannot expect to produce a high-quality car only by performing a quality check at the end of the production line – what is needed is to design a production process that has included the quality philosophy in every step, in every detail – from selecting only high-quality suppliers, to training the employees, to dealing effectively with the non-conforming products.

Similarly, a process approach is crucial for making this connection between responsibilities and technical controls – only if you know who has to do what and when, will you have a foundation for enabling your security controls to work.

The point of the ISMS in 27001

So, what can we learn from these points? First of all, information security controls are not only technical, IT-related controls. They are a combination of different types of controls: documenting a procedure is an organizational control, implementing a software tool is an IT control, and training people is a human resources control. See also: Information security or IT security?

What are the benefits of ISMS?

How is an ISMS beneficial? Without some kind of a framework, information security becomes unmanageable – this is where ISO 27001 comes in. When you build up your Information Security Management System, which means developing a set of information security rules, responsibilities, and controls, then you’ll be able to manage such a complex system.

Finally, an Information Security Management System is nothing else but several security processes all tied up together – the better these processes are defined, and the better these processes are interrelated, the fewer incidents you will have. Thus, implementing an ISMS assures an effective and beneficial asset to your organization.

To see all the necessary tasks for ISMS implementation and maintenance, and learn how to comply with ISO 27001 with less bureaucracy, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Conformio all-in-one ISO 27001 compliance software

Automate the implementation of ISO 27001 in the most cost-efficient way

Try it for free

Conformio all-in-one ISO 27001 compliance software

Automate the implementation of ISO 27001 in the most cost-efficient way

Try it for free

Conformio all-in-one ISO 27001 compliance software

Automate the implementation of ISO 27001 in the most cost-efficient way

Try it for free