ISMS (Information Security Management System)

An ISMS (Information Security Management System) is the systematic framework that an organisation uses to manage, monitor and continually improve its information security. It is the core of the ISO 27001 standard and forms the foundation for certification.

Back to Dictionary

What is an ISMS?

ISMS stands for Information Security Management System. It is not a single document or an IT system but rather a comprehensive framework of policies, processes, procedures and controls that together ensure an organisation manages information security in a structured and purposeful manner.

The goal of an ISMS is to protect the organisation's information assets against threats such as data breaches, cyberattacks, accidental disclosure and physical loss. A well-functioning ISMS ensures that security is not a one-off project but a continuous process.

ISMS and ISO 27001

ISO 27001 is the international standard that specifies the requirements for an ISMS. The standard is published by ISO (International Organization for Standardization) and defines what an ISMS must contain to be certifiable.

It is important to understand the distinction: ISO 27001 is the standard, whilst the ISMS is the actual management system your organisation builds. You can have an ISMS without seeking certification, but an ISO 27001 certification requires an ISMS that meets all the requirements in the standard.

Not just IT: An ISMS covers more than just IT security. It encompasses physical security, human resources, supplier management and legal requirements. Information security is a responsibility that spans the entire organisation.

What must an ISMS contain?

ISO 27001 requires that an ISMS must, at a minimum, contain:

Information security policy: A top-level statement from management on the organisation's approach to security.
Risk assessment process: A systematic method for identifying and evaluating information security risks.
Risk treatment plan: Concrete measures for addressing the identified risks.
Statement of Applicability (SoA): Documentation of which Annex A controls have been selected or excluded.
Internal audit: Regular internal reviews of the ISMS's effectiveness.
Management review: Periodic review of the ISMS by top management.

The PDCA cycle

The ISO 27001 structure is based on the PDCA cycle (Plan-Do-Check-Act), which drives continual improvement:

Plan: Establish the ISMS scope, policies and risk assessment methodology.
Do: Implement controls and processes.
Check: Monitor, measure and review the ISMS through audits and management reviews.
Act: Initiate corrective actions and improvements.

This cycle is what makes an ISMS a living system rather than a static set of documents.

Frequently Asked Questions about ISMS (Information Security Management System)

What is an ISMS?

An ISMS (Information Security Management System) is a collection of policies, processes and controls that together ensure an organisation manages its information security systematically and on an ongoing basis. It is the core of the ISO 27001 standard.

What is the difference between ISMS and ISO 27001?

ISO 27001 is the standard that describes the requirements for an ISMS. An ISMS is the management system itself that your organisation builds and maintains. You can have an ISMS without being certified, but ISO 27001 certification requires an ISMS that meets the standard's requirements.

What must an ISMS contain?

An ISMS must, at a minimum, contain an information security policy, a risk assessment process, a risk treatment plan, a Statement of Applicability (SoA), and processes for internal audit, management review and continual improvement.

Is an ISMS only about IT security?

No. An ISMS covers far more than IT security. It encompasses physical security, human resources, supplier management and legal requirements. Information security is a cross-organisational responsibility.

How long does it take to implement an ISMS?

For most SMEs, implementing an ISMS typically takes 6-12 months, depending on the organisation's size, complexity and existing security maturity. Using templates and structured guidance can significantly accelerate the process.