« Back


Security News


Overview of an Information Security Management System:

Posted by Data Send UK / Written by Tony Stewart


Information security is the protection of information to ensure:

Confidentiality: ensuring that the information is accessible only to those authorised to access it.
Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorisation.
Availability: ensuring that the information is accessible to authorised users when required.


Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organisational structures, and software and hardware functions). An Information Security Management System (ISMS) is the way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organisational approach to information security.


ISO publishes two standards that focus on an organisation’s ISMS:

The code of practice standard: ISO 27002. This standard can be used as a starting point for developing an ISMS. It provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that you can consider implementing as part of your ISMS.

The management system standard: ISO 27001. This standard is the specification for an ISMS. It explains how to apply ISO/IEC 27002. It provides the standard against which certification is performed, including a list of required documents. An organisation that seeks certification of its ISMS is examined against this standard.

The standards set forth the following practices:

- All activities must follow a method. The method is arbitrary but must be well defined and documented.

- A company or organisation must document its own security goals. An auditor will verify whether these requirements are fulfilled.

- All security measures used in the ISMS shall be implemented as the result of risk analysis in order to eliminate or reduce risks to an acceptable level.

The standard offers a set of security controls. It is up to the organisation to choose which controls to implement based on the specific needs of their business.

- A process must ensure the continuous verification of all elements of the security system through audits and reviews.

- A process must ensure the continuous improvement of all elements of the information and security management system. (The ISO 27001 standard adopts the Plan-Do-Check-Act [PDCA] model as its basis and expects the model will be followed in an ISMS implementation.)