ISO 27001 & ISO 22301 Blog

What is an Information Security Management System (ISMS) according to ISO 27001?

Updated: May 31, 2022.

If you’ve started an  ISO 27001 implementation, you’ve surely come up with the term Information Security Management System or ISMS. Pretty vague term, isn’t it? And yet, the ISMS is the main “product” of ISO 27001 implementation. In the simplest terms, an Information Security Management System (ISMS) is a set of rules that a company needs to establish to maintain security across the enterprise. Nevertheless, one may still ask, what exactly is an ISMS in ISO 27001, and how do you set the ISO 27001 ISMS policy?

The components of ISMS in ISO 27001:

1) identify stakeholders and their expectations of the company
2) identify which risks exist for the information
3) define controls (safeguards) and other mitigation methods
4) set clear objectives
5) implement all the controls and other risk treatment methods
6) continuously measure
7) make continuous improvement

What is an Information Security Management System in ISO 27001?

ISO 27001 basically describes how to develop the ISMS.

You can consider this ISMS to be a systematic approach for managing and protecting a company’s information.

What are the components of ISMS in ISO 27001?

When implementing your ISMS, you surely need to know how to correctly establish each ISO 27001 ISMS policy or procedure. The Information Security Management System represents a set of policies, procedures, and various other controls that set the information security rules in an organization. Holistically, the objectives of these components include the following:

  1. identify stakeholders and their expectations of the company in terms of information security
  2. identify which risks exist for the information
  3. define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
  4. set clear objectives on what needs to be achieved with information security
  5. implement all the controls and other risk treatment methods
  6. continuously measure if the implemented controls perform as expected
  7. make continuous improvement to make the whole ISMS work better

This set of rules can be written down in the form of policies, procedures, and other types of documents, or it can be in the form of established processes and technologies that are not documented. ISO 27001 defines which documents are required, i.e., which must exist at a minimum.

How does an ISMS work in ISO 27001?

As mentioned in the article The basic logic of ISO 27001: How does information security work, what kind of control for information security will be implemented in a company is decided based on the results of the risk assessment and on the requirements of interested parties. For each risk that needs to be treated, a combination of different types of controls will be implemented.

Several controls are needed for each risk

Let’s say you leave your laptop frequently in your car, so chances are, sooner or later, the laptop will get stolen. So, what can you do to decrease the risk to your information? So, you have to apply some controls. First, you can write a procedure that defines that you cannot leave the laptop in the car; also, you can protect your laptop with a password, so if it gets stolen it will be more difficult for someone to access your information. Also, you can encrypt your disks – this is an even higher level of protecting your information, but also you can ask your employees to sign a statement where they oblige to pay all the damage that can occur if such an incident happens, but also you have to train and make your employees aware that there are such risks if they leave their laptops in their cars.

Now, protecting this laptop might sound simple, but the problem is when you have hundreds of laptops, dozens of servers, a multitude of databases, many employees, etc. With so much sensitive information in so many different assets, very quickly you would produce a huge number of safeguards that wouldn’t be related, and therefore would be very difficult to manage.

ISO 27001 ISMS | Information Security Management Systems Explained


Managing complex security systems

The only way to manage all these safeguards is to set clear security processes and responsibilities. This is called a process approach in ISO management standards – in ISO 27001, but also in ISO 9001, ISO 20000, and others. If we take ISO 9001 as an analogy, the idea is the following: you cannot expect to produce a high-quality car only by performing a quality check at the end of the production line – what is needed is to design a production process that has included the quality philosophy in every step, in every detail – from selecting only high-quality suppliers, to training the employees, to dealing effectively with the non-conforming products.

Similarly, a process approach is crucial for making this connection between responsibilities and technical controls – only if you know who has to do what and when, will you have a foundation for enabling your security controls to work.

The point of the ISMS in 27001

So, what can we learn from these points? First of all, information security controls are not only technical, IT-related controls. They are a combination of different types of controls: documenting a procedure is an organizational control, implementing a software tool is an IT control, and training people is a human resources control. See also: Information security or IT security?

What are the benefits of ISMS?

How is an ISMS beneficial? Without some kind of a framework, information security becomes unmanageable – this is where ISO 27001 comes in. When you build up your Information Security Management System, which means developing a set of information security rules, responsibilities, and controls, then you’ll be able to manage such a complex system.

Finally, an Information Security Management System is nothing else but several security processes all tied up together – the better these processes are defined, and the better these processes are interrelated, the fewer incidents you will have. Thus, implementing an ISMS assures an effective and beneficial asset to your organization.

To see all the necessary tasks for ISMS implementation and maintenance, and learn how to comply with ISO 27001 with less bureaucracy, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become certified against ISO 27001 and other ISO standards. He believes that making ISO standards easy to understand and simple to use creates a competitive advantage for Advisera's clients.

As an ISO 27001 expert, Dejan helps companies find the best way to obtain certification by eliminating overhead and adapting the implementation to their size and industry specifics.
Connect with Dejan: