What is an information security management system (ISMS)?

If you start making forays into the world of information security and management systems, you will quickly stumble across the term ‘ISMS’.

ISMS stands for “information security management system.” It’s a documented management system that consists of a set of security controls that protect the confidentiality, availability, and integrity of assets from threats and vulnerabilities.

By designing, implementing, managing, and maintaining an ISMS, organizations can protect their confidential, personal, and sensitive data from being compromised.

Implementing an ISMS

There are numerous ways of approaching the implementation of an ISMS.  The most common method to follow is a ‘Plan Do Check Act’ process.

ISO 27001 is the international security standard that details the requirements of an ISMS.

ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS. 

A certified ISMS, independently audited by an approved certification body, can serve as the necessary reassurance to customers and potential clients that the organization has taken the steps required to protect their information assets from a range of identified risks.

The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.

The ability to recognize the full range of risks that the organization and its data may face in the foreseeable future is a precursor to implementing the necessary mitigating measures (known as ‘controls’).

ISO 27001 provides a list of recommended controls that can serve as a checklist to assess whether you have taken into consideration all the controls necessary for legislative, business, contractual, or regulatory purposes.

Getting started with your ISMS

The key to an effective ISMS is a risk assessment. After all, it’s only when you know what threats you face that you can implement appropriate defences.

This can be a labour-intensive task, but you can simplify the process with our risk assessment tool vsRisk.

With this software package, you’ll receive a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.


A version of this blog was originally published on 27 July 2018.