What is an ISMS?


September 7th, 2019


3 min read.

One of the most frequently misunderstood parts of ISO27001 is the requirement for an Information Security Management System (an ISMS).

The use of the word "system" here leads many to believe that an ISMS is a technology solution - and that has led to a whole industry providing cloud based solutions (ironically, many of which are not themselves ISO27001 certified).

What is a system?

We need to start by recognising that a "system" is simply a defined way of doing something. You have systems everywhere, work with them every day. Think about how you make a cup of coffee (or tea!). Depending on your method, loosely speaking you:

  • Fill the kettle

  • Boil the kettle

  • Scope in the coffee

  • Pour on the water

  • Add the milk

Now imagine we tightened up this "system" to guarantee the same results like this:

  • Fill the kettle with 200ml water at 5oC

  • Boil the kettle

  • Scope in 10g of [preferred brand] of coffee

  • Wait until the water temperature has dropped to 85oC

  • Pour on 180ml water

  • Add 20ml milk at 4oC

What's the point?

ISO27001 is all about reducing risk where we can, and managing residual risk. One way to manage residual risk is to make sure, where possible, we can guarantee an outcome.

In systemising, we improve the chances that we will get consistent results each time we do something.

Therefore an ISMS is...?

An Information Security Management System is therefore a defined way of managing information security within your business - that's it.

It doesn't have to be a technology system - although that might be helpful.

You essentially need to develop a way (system) for keeping track of what you do to manage risk. This will include things like:

  • What you have

  • What needs to be done

  • When it needs to be done

  • Who is going to do it

  • How it's going to be done

  • When it was done

  • Any discoveries when doing it

  • When it's going to be reviewed

...and a bunch of other stuff.

Don't leave me hanging

We'd love to tell you exactly what should go into your ISMS - but honestly, it will be different in every setting, because it's about how you, your business, will manage risk.

We would, of course, be very happy to help you with your ISO27001 project - why not give us a call on: 01530 637 833

Thanks for reading - if you found this helpful, please consider sharing it!

Andy Larkum

Managing Director

Registered Office: 6 Hinckley Road, Ibstock, Leicestershire, LE676PB, UK

Company Registration No: 06684621

VAT No: 140 0539 56

© ADL Consulting Ltd 2023. All rights reserved.