What is an Information Security Management System (ISMS)?

Key Takeaways

Point	Summary
Definition	Systematic approach to managing sensitive information through people, processes, and technology
Core model	Plan-Do-Check-Act (PDCA) cycle for continual improvement
Key components	Context & Scope, Leadership, Risk Management, Controls (93 in Annex A), Monitoring, Audit, Improvement
Required documentation	15+ mandatory documents including scope, policy, risk methodology, Statement of Applicability
Build timeline	6 phases over ~24 weeks from foundation to certification

Quick Answer: An ISMS is a framework of policies, procedures, and controls for managing information security. It follows the Plan-Do-Check-Act cycle and requires documentation of scope, risks, controls, and continual improvement activities.

ISMS Definition

What is an ISMS?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive information so that it remains secure. It includes:

• People: Roles, responsibilities, and security awareness
• Processes: Policies, procedures, and workflows
• Technology: Security tools, systems, and controls

Key Characteristics

Characteristic	Description
Systematic	Follows a defined methodology
Risk-Based	Driven by identified risks
Documented	Policies and procedures recorded
Measurable	Performance tracked and evaluated
Continual improvement	Regular review and enhancement

ISMS vs. Security Program

Aspect	Generic Security Program	ISO 27001 ISMS
Structure	Often ad-hoc	Formally defined
Risk approach	Varies	Mandated methodology
Documentation	Inconsistent	Comprehensive requirements
Improvement	When needed	Continuous cycle
Verification	Internal only	External certification

ISMS Components

Core ISMS Elements

Information Security Management System (ISMS) Components:

1. Context & Scope:

• Organization context
• Stakeholder requirements
• ISMS boundaries

2. Leadership:

• Commitment
• Policy
• Roles

3. Risk Management:

• Assessment
• Treatment
• Register

4. Support Resources:

• People
• Awareness
• Competence
• Documents

5. Controls:

• 93 Annex A Controls
• Additional as needed

6. Monitoring & Metrics

7. Internal Audit

8. Management Review

9. Improvement:

• Corrective action
• Continual improvement

1. Context and Scope

Purpose: Define what your ISMS covers

Key elements:

• Understanding your organization's context
• Identifying stakeholder requirements
• Defining ISMS boundaries
• Determining applicable requirements

Scope examples:

• "All cloud-based services and supporting infrastructure"
• "Customer data processing systems and operations"
• "Product development and delivery processes"

2. Leadership and Commitment

Purpose: Ensure management support and direction

Key elements:

Element	Description
Top management commitment	Active involvement and support
Information security policy	High-level security direction
Roles and responsibilities	Clear accountability
Resources	Adequate budget and people

3. Risk Management

Purpose: Identify and address security risks

Key elements:

• Risk assessment methodology
• Risk identification process
• Risk analysis and evaluation
• Risk treatment options
• Risk register maintenance

Risk treatment options:

Option	Description
Modify	Implement controls to reduce risk
Accept	Accept the risk as-is
Avoid	Eliminate the activity causing risk
Share	Transfer risk (e.g., insurance)

4. Controls

Purpose: Protect information assets

Control sources:

• Annex A controls (93 in ISO 27001:2022)
• Additional controls based on risk assessment
• Regulatory requirements
• Contractual obligations

5. Support and Resources

Purpose: Provide necessary capabilities

Key elements:

Element	Description
Resources	Budget, tools, time
Competence	Skills and training
Awareness	Security consciousness
Communication	Internal and external
Documented information	Policies, procedures, records

6. Performance Evaluation

Purpose: Assess ISMS effectiveness

Key activities:

• Monitoring and measurement
• Internal audits
• Management review

7. Improvement

Purpose: Enhance ISMS over time

Key activities:

• Nonconformity management
• Corrective actions
• Continual improvement

The Plan-Do-Check-Act Cycle

PDCA Overview

ISO 27001's ISMS follows the PDCA model:

Plan-Do-Check-Act (PDCA) Cycle:

PLAN:

• Establish ISMS policy
• Define scope
• Conduct risk assessment
• Select controls
• Document SoA

DO:

• Implement controls
• Execute procedures
• Train staff
• Operate ISMS

CHECK:

• Monitor effectiveness
• Internal audit
• Management review
• Measure performance

ACT:

• Address nonconformity
• Corrective actions
• Improve ISMS

PDCA in Practice

Phase	Frequency	Key Activities
Plan	Initial + major changes	Scope definition, risk assessment, control selection
Do	Continuous	Control operation, training, day-to-day security
Check	Ongoing + periodic	Monitoring, internal audits, management reviews
Act	As needed	Corrective actions, improvements

Required ISMS Documentation

Mandatory Documents

ISO 27001 requires specific documentation:

Document	Clause	Purpose
ISMS scope	4.3	Define boundaries
Information security policy	5.2	Set direction
Risk assessment methodology	6.1.2	Standardize approach
Risk assessment results	6.1.2	Record findings
Risk treatment plan	6.1.3	Document responses
Statement of Applicability	6.1.3 d)	List applicable controls
Information security objectives	6.2	Define targets
Competence evidence	7.2	Prove capability
Operational planning documents	8.1	Guide operations
Risk assessment results	8.2	Record ongoing assessments
Risk treatment results	8.3	Document treatments
Monitoring and measurement results	9.1	Track performance
Internal audit program and results	9.2	Verify ISMS
Management review results	9.3	Leadership oversight
Nonconformities and corrections	10.1	Track issues

Recommended Documents

Additional useful documentation:

Document	Purpose
Asset inventory	Track information assets
Acceptable use policy	Guide employee behavior
Access control policy	Manage access rights
Incident response procedure	Handle security incidents
Business continuity plan	Ensure resilience
Vendor management policy	Control third parties

Building Your ISMS

Phase 1: Foundation (Weeks 1-3)

Establish context and scope:

• Document organizational context
• Identify stakeholders and requirements
• Define ISMS scope
• Obtain management commitment

Phase 2: Risk Assessment (Weeks 3-5)

Identify and assess risks:

• Define risk assessment methodology
• Identify information assets
• Identify threats and vulnerabilities
• Assess risk likelihood and impact
• Prioritize risks

Phase 3: Control Selection (Weeks 5-7)

Determine controls:

• Review Annex A controls
• Select applicable controls
• Document Statement of Applicability
• Create risk treatment plan

Phase 4: Implementation (Weeks 7-14)

Implement the ISMS:

• Develop policies and procedures
• Implement technical controls
• Deploy security tools
• Train employees
• Begin evidence collection

Phase 5: Operation (Weeks 14-20)

Run the ISMS:

• Operate controls
• Monitor effectiveness
• Collect evidence
• Conduct internal audit
• Hold management review

Phase 6: Certification (Weeks 20-24)

Achieve certification:

• Stage 1 audit (documentation)
• Address any gaps
• Stage 2 audit (implementation)
• Resolve nonconformities
• Receive certificate

ISMS Governance Structure

Typical Roles

ISMS Governance Structure:

Top Management (CEO, Executive Team):

• Overall accountability
• Resource allocation
• Policy approval
• Management review participation

Information Security Manager (CISO, Security Lead, or vCISO):

• ISMS implementation
• Risk management oversight
• Reporting to management
• Audit coordination

Control Owners:

• Implement controls
• Maintain evidence
• Report

Risk Owners:

• Monitor risks
• Report changes
• Escalate issues

Internal Auditor:

• Audit ISMS
• Report findings
• Verify corrections

Management Review

Required at planned intervals (typically quarterly or annually):

Inputs:

• Status of previous actions
• Changes affecting ISMS
• Performance feedback (nonconformities, monitoring, audits)
• Stakeholder feedback
• Risk assessment results
• Improvement opportunities

Outputs:

• Improvement decisions
• ISMS changes needed
• Resource requirements

Common ISMS Challenges

Challenge 1: Scope Creep

Problem: ISMS scope keeps expanding

Solution:

• Define clear boundaries upfront
• Document exclusions with justification
• Review scope at management reviews
• Resist adding scope without proper planning

Challenge 2: Documentation Overload

Problem: Too much documentation, poorly maintained

Solution:

• Document what's required, no more
• Use templates efficiently
• Automate where possible
• Regular document reviews

Challenge 3: Lack of Ownership

Problem: No one takes responsibility for controls

Solution:

• Assign clear control owners
• Include in job descriptions
• Track ownership in risk register
• Regular accountability reviews

Challenge 4: Risk Assessment Complexity

Problem: Risk assessment becomes unwieldy

Solution:

• Use appropriate methodology
• Focus on significant risks
• Don't over-engineer the process
• Regular refresh, not complete redo

Challenge 5: Maintaining Momentum

Problem: ISMS becomes stale after certification

Solution:

• Regular internal audits
• Continuous monitoring
• Management engagement
• Tie to business objectives

The Bastion Approach

ISMS Made Manageable

Bastion simplifies ISMS implementation:

Challenge	Bastion Solution
Complex documentation	Pre-built templates and policies
Risk assessment	Guided methodology with expert support
Control implementation	Prioritized roadmap
Evidence collection	Automated collection from integrations
Ongoing maintenance	Continuous monitoring and alerts

Expert Guidance

Your dedicated vCISO provides:

• ISMS design appropriate to your size
• Risk assessment facilitation
• Control selection guidance
• Documentation review
• Audit preparation support

---

Ready to build your ISMS? Talk to our team →

---

Sources

• ISO/IEC 27001:2022 - Information security management systems requirements
• ISO/IEC 27001:2022, Clause 10.2 - Continual improvement requirements