What is an ISMS (Information Security Management System)?

ISMS stands for “information security management system.” An ISMS includes policies, processes and procedures to manage information security risks in a structured and systematic way.

By designing, implementing, managing, and maintaining an ISMS, organizations can protect their confidential, personal, and sensitive data from being compromised.


Implementing an ISMS

There are numerous ways of approaching the implementation of an ISMS.  The most common method to follow is a ‘Plan Do Check Act’ process.

ISO 27001 is the international security standard that details the requirements of an ISMS.

ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS. 

An ISMS that is certified and audited can provide customers with the assurance that the organization has taken steps to protect its information assets from risks that have been identified.

The strength of an ISMS is based on the robustness of the information security risk assessment, which is key to any implementation.

Recognizing the risks that the organization and its data may face in the future is necessary to implement the mitigating measures (controls).

ISO 27001 provides a recommended list of controls that can help assess whether the necessary controls have been considered for legislative, business, contractual, or regulatory purposes.


Getting started with your ISMS

The key to an effective ISMS is a risk assessment. After all, it’s only when you know what threats you face that you can implement appropriate defenses.

This can be a labor-intensive task, but you can simplify the process with our risk assessment tool vsRisk.

With this software package, you’ll receive a fast and straightforward way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organizational roles to each asset group, applying relevant threats and risks by default.

Meanwhile, its integrated risk, vulnerability, and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.


A version of this blog was originally published on 27 July 2018.