« Back


Security News


Establishing an ISMS / Guide

Posted by Data Send UK / Written by Tony Stewart


Establishing an Information Security Management System (ISMS) involves a systematic and structured approach to ensure the confidentiality, integrity, and availability of an organisation’s information assets. Below are the key steps to guide an organisation in establishing an ISMS: -

1. Leadership and Commitment:
- Appoint a Management Representative: Designate an individual or team responsible for coordinating the development and implementation of the ISMS.

- Top Management Commitment: Gain commitment from top management to support and actively participate in the establishment of the ISMS.

2. Define the Scope:
- Identify Organisational Boundaries: Determine the organisational units, functions, and processes that will be included within the scope of the ISMS.

- Consider External and Internal Context: Analyse external and internal issues, interested parties, and interfaces with other organisations to define the ISMS scope comprehensively.

3. Perform a Risk Assessment:
- Identify Information Assets: Identify and classify information assets based on their value and importance to the organisation.

- Identify Threats and Vulnerabilities: Conduct a risk assessment to identify potential threats and vulnerabilities that could impact information assets.

- Assess Risks: Assess the likelihood and impact of identified risks to prioritise and focus on significant risks.

4. Define Information Security Objectives:
- Align with Business Objectives: Define information security objectives that align with the organisation’s overall business objectives.

- Establish Measurable Targets: Set measurable targets for achieving information security objectives. Ensure that targets are specific, measurable, achievable, relevant, and time-bound (SMART).

5. Implement Information Security Controls:
- Select Controls: Identify and select appropriate information security controls based on the risk assessment and organisational objectives.

- Documentation and Procedures: Develop documentation and procedures to implement the selected controls effectively.

- Training and Awareness: Provide training and awareness programs to ensure that employees understand their roles and responsibilities in maintaining information security.

6. Documentation and Records:
- ISMS Documentation: Develop documented information that outlines the ISMS scope, policies, procedures, and risk assessment outcomes.

- Records Management: Establish a system for creating, maintaining, and retaining records related to information security.

7. Monitoring and Measurement:
- Performance Monitoring: Implement processes to monitor and measure the performance of information security controls and the effectiveness of the ISMS.

- Incident Response: Establish an incident response plan to address and mitigate the impact of security incidents.

8. Internal Audits:
- Conduct Internal Audits: Periodically conduct internal audits to assess the compliance and effectiveness of the ISMS.

- Corrective Actions: Implement corrective actions to address non-conformities identified during internal audits.

9. Management Review:
- Regular Management Reviews: Hold regular management reviews to assess the performance of the ISMS, evaluate the results of internal audits, and identify opportunities for improvement.

10. Continual Improvement:
- Learn from Incidents: Use lessons learned from security incidents, internal audits, and management reviews to drive continual improvement.

- Update the ISMS: Periodically review and update the ISMS documentation to ensure its ongoing relevance and effectiveness.

11. Training and Communication:
- Educate Employees: Conduct training sessions and awareness programs to educate employees about information security policies and practices.

- Communication: Establish effective communication channels to keep stakeholders informed about the ISMS and its objectives.


Establishing an Information Security Management System (ISMS) involves the implementation of various processes, each contributing to the overall effectiveness of information security within the organisation. The processes are often organised within the framework of the Plan-Do-Check-Act (PDCA) cycle.