What is an Information Security Management System (ISMS)?

Introduction to ISMS

Maybe you are aiming to learn more about the ISMS, or maybe you have been tasked with creating an ISMS for your organization and have no idea what the term even means. By the time that you have finished reading this article, when someone asks you "What is an information security management system (ISMS)?", you will be able to confidently steer them in the right direction.

ISMS is a massive subject, it's often daunting, so this article will be a high level overview of the basis to help you get started. Beyond here you can delve further into ISMS sub-topics as required

ISMS Definition / ISMS Meaning

The acronym "ISMS" refers to an Information Security Management System. So the ISMS meaning could then be said to be a well-documented set of Controls which describes how you are managing Risks within your environment.

An effective ISMS will protect the Confidentiality, Integrity and Availability of an organization's assets.

ISO 27001 and ISO 27002

Many people will have heard about ISO 27001, at least in passing, but there are two different components that you should be aware of that work hand-in-hand to deliver an overall ISMS strategy. In fact, if you are interested in learning more, there are more than a dozen different ISO Standards which are in some way related to an ISMS, you can read about them all in ISMS ISO Standards – summarised list.

ISO 27001 is the internationally recognized Standard used which provides a detailed overview of all of the requirements of an Information Security Management System.

ISO 27001 then works alongside ISO 27002. ISO 27002 lists many suggested Controls which can be implemented by an organization to help them meet the requirements of the ISO 27001 Standard.

There is nothing preventing you from building an Information Security Management System following the requirements set out in ISO 27001 even if you don't plan on becoming ISO 27001 certified, however if you do want that certificate and the assurance that your systems are operating as mandated by the Standard, then external independent auditors must be engaged to perform reviews for your organization.

ISMS Risks and ISMS Controls

There are two cornerstones to the ISMS which must be understood, they are Risks and Controls.

ISMS Risks are the potential threats to your organization. These are the things that may harm your business if they come to fruition. When we talk about ISMS Risks we aren't just referring to external threats in the form of cyber hackers wearing dark hoodies, but also a risk such as unapproved technical changes being implemented on Production systems or the risk of backup tapes being disposed of without their data being properly sanitized.

Defining the ISMS Risks in your organization is such an important step, as if you haven't captured the Risk then you are likely to also miss out on effectively mitigating that Risk.

After determining a big long list of ISMS Risks we then need to work out how to treat them, you didn't really think that we were going to just leave them sitting alone, did you? Read about identifying risks in detail in ISMS Risk Assessment.

The key tool that we use to manage those risks are ISMS Controls. Controls are where we document the steps which we are going to take to ensure that those ISMS Risks are effectively managed, so that the risk level is then deemed to be acceptable to the organization. Remember those unapproved technical changes? Let's put in place a formalized Change Management ISMS Control. And those old backup tapes that we sent off without being wiped? We'll put in place a Control detailing how we are going to ensure that asset disposal will be effectively handled to ensure that our precious information is not at risk.

That's ISMS Risks and ISMS Controls in a nutshell.

ISMS Metrics / ISMS Measures

You know your ISMS Risks, you've chosen to put in place ISMS Controls, so now you can hang up your boots and go home, right? Well, not so fast. You need to measure.

In the same way that a business doesn't know if it is profitable without running reports, we don't know if your Information Security Management System is effective unless we are also measuring results.

ISMS Metrics, also referred to as ISMS Measures, are used to measure the effectiveness of our ISMS Controls. Let's imagine that you have established an ISMS Control, part of which is to patch all of your Microsoft Windows Servers each month, there should be ISMS Metrics in place to monitor that the ISMS Control is running. Your metric might be taking a snapshot of all Windows Servers in your environment the last day of the month and confirming that the patching has been completed. This would be a pro-active ISMS Metric.

Or what about Phishing, one of the biggest cyber entry points into networks for cyber criminals today, there could be an ISMS Metric looking at the number of phishing Incidents in your organization.This would be a re-active ISMS Metric.

A combination of both pro-active metrics (things you are doing) and re-active metrics (results) often delivers the best results.

ISMS Cycle

We have gone over some of the major components of an ISMS, now we need to bring them all together.

The Plan, Do, Check, Act model works well for an ISMS. The steps are pretty straight forward, likely you are already doing very similar in other parts of your business already.

Plan, Do, Check, Act is a constant cycle. You are never "finished" with your ISMS, it is a living, breathing, system.


An Information Security Management System (ISMS) is really pretty simple. Having read and understood this article you now likely have a better understanding of how an ISMS operates than 95% of the people in your organization.

Are you confused with some of the terminology used in this article? If so, check out the ISMS list with definitions.