An information security management system is the keystone of the ISO 27001 standard. The framework is built to provide guidance for building, assessing, maintaining, and improving a secure ISMS.

Below, we’ll unpack what an ISMS is, and we’ll explain how to build one that meets the ISO 27001 international standard’s requirements.

What is an Information Security Management System? (ISMS)

If an organization’s information assets are its crown jewels, the ISMS is the vault. It’s the people, systems, technology, process, and information security policies that all come together to protect sensitive data across the entire organization.

But an ISMS is more than just the hardware and software you use to keep information safe — it’s also a set of principles that guide and govern how you: 

• Use information
• Store and retrieve data
• Assess and treat risk
• Continuously improve data security

The process of building an ISMS helps you: 

• Identify key stakeholders and their information security requirements
• Set clear expectations and responsibilities around information security across the entire organization
• Identify threats to information assets
• Define and implement controls to mitigate vulnerabilities
• Monitor and measure performance of information security controls
• Continuously improve the ISMS 

What are the components of an ISMS?

An ISMS encompasses the four Ps: 

1. People
2. Policies and processes
3. Products and technologies
4. Partners and third-party vendors

In practice, an ISMS includes everything from HR processes like conducting background checks, to data encryption and secure development practices, to business continuity planning and vendor risk management. It includes anything and everything an organization does to identify and manage information security risks. 

The benefits of a compliant ISMS extend beyond ISO 27001 certification. It can help you improve business efficiency, identify redundancies and lower costs, and establish scalable security practices. 

How to build an ISMS that meets ISO/IEC 27001:2013 requirements

The ISO 27001 information security standard defines what organizations need to do to build and maintain a compliant ISMS. 

• Establish ISMS scope. Not every piece of information will fall under the scope of your ISMS. According to clause 4.3, organizations must first define which information assets need to be protected. 
• Complete a risk assessment. Next, you’ll need to identify vulnerabilities for each information asset. A risk assessment will help you pinpoint specific threats so you can create a plan to mitigate them.
• Create a risk treatment plan. Once risks are identified, you can decide what to do about them. Depending on your organization’s risk appetite, you can either accept, treat, avoid, or transfer the risk.
• Design and implement security controls. Annex A outlines groups of security controls to help organizations decide which controls to use. ISO 27002 provides more detailed information on each control, including how to implement it. 
• Perform regular internal audits. Once you’ve built your ISMS you need to monitor its effectiveness with regular internal audits. The results of these internal audits help you improve your ISMS and ensure it continues to meet your organization’s needs over time. 
• Define a process for continuous improvement. Typically, management reviews the results of each internal audit to discuss potential improvements to the ISMS. 

If you're building out your ISMS and trying to achieve ISO 27001 certification, check out the video below for some invaluable tips.