What is an ISMS (Information Security Management System)?

ISMS stands for “information security management system.” It’s a documented management system consisting of a set of security controls that protect the confidentiality, availability, and integrity of assets from threats and vulnerabilities.

By designing, implementing, managing, and maintaining an ISMS, organizations can protect their confidential, personal, and sensitive data from being compromised.

Implementing an ISMS

There are numerous ways of approaching the implementation of an ISMS.  The most common method to follow is a ‘Plan Do Check Act’ process.

ISO 27001 is the international security standard that details the requirements of an ISMS.

ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS. 

A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect its information assets from a range of identified risks.

The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.

The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).

ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken considered the controls necessary for legislative, business, contractual, or regulatory purposes.

Getting started with your ISMS

The key to an effective ISMS is a risk assessment. After all, it’s only when you know what threats you face that you can implement appropriate defenses.

This can be a labor-intensive task, but you can simplify the process with our risk assessment tool vsRisk.

With this software package, you’ll receive a fast and straightforward way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organizational roles to each asset group, applying relevant threats and risks by default.

Meanwhile, its integrated risk, vulnerability, and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.


A version of this blog was originally published on 27 July 2018.