What is an ISMS?
September 7th, 2019
3 min read.
One of the most frequently misunderstood parts of ISO27001 is the requirement for an Information Security Management System (an ISMS).
The use of the word "system" here leads many to believe that an ISMS is a technology solution - and that has led to a whole industry providing cloud based solutions (ironically, many of which are not themselves ISO27001 certified).
We need to start by recognising that a "system" is simply a defined way of doing something. You have systems everywhere, work with them every day. Think about how you make a cup of coffee (or tea!). Depending on your method, loosely speaking you:
Fill the kettle
Boil the kettle
Scope in the coffee
Pour on the water
Add the milk
Now imagine we tightened up this "system" to guarantee the same results like this:
Fill the kettle with 200ml water at 5oC
Boil the kettle
Scope in 10g of [preferred brand] of coffee
Wait until the water temperature has dropped to 85oC
Pour on 180ml water
Add 20ml milk at 4oC
ISO27001 is all about reducing risk where we can, and managing residual risk. One way to manage residual risk is to make sure, where possible, we can guarantee an outcome.
In systemising, we improve the chances that we will get consistent results each time we do something.
An Information Security Management System is therefore a defined way of managing information security within your business - that's it.
It doesn't have to be a technology system - although that might be helpful.
You essentially need to develop a way (system) for keeping track of what you do to manage risk. This will include things like:
What you have
What needs to be done
When it needs to be done
Who is going to do it
How it's going to be done
When it was done
Any discoveries when doing it
When it's going to be reviewed
...and a bunch of other stuff.
We'd love to tell you exactly what should go into your ISMS - but honestly, it will be different in every setting, because it's about how you, your business, will manage risk.
We would, of course, be very happy to help you with your ISO27001 project - why not give us a call on: 01530 637 833
Thanks for reading - if you found this helpful, please consider sharing it!