What is an Information Security Management System according to ISO 27001?

What is an ISMS according to ISO 27001?

With an Information Security Management System (ISMS), organizations and companies ensure that they systematically meet data protection and IT security requirements. The most well-known is ISO 27001. Many security standards, such as the BSI standard, are compatible with ISO 27001. An information security management system according to ISO 27001 follows the same structure as, for example, a quality management system according to ISO 9001. This makes it possible to combine both management systems in the form of an integrated management system. In this article and video, you will learn about the benefits and requirements of an Information Security Management System (ISMS).

(Note: This content was adopted and expanded from https://www.innolytics.de/was-ist-ein-informationssicherheitsmanagementsystem/.)

What are the components of an ISMS?

An ISMS consists of clear documentation, regular risk analyses, and concrete protective measures. This includes instructions and process descriptions, risk assessments, and the implementation of a catalog of measures from Annex A of ISO 27001 to systematically protect your data and systems.

An information security management system follows the principle: data protection and IT security must not be left to chance. With an ISMS,

  • organizations manage their information security requirements and set information security objectives,
  • develop security policies for information security,
  • issue work instructions,
  • implement these in practice, and monitor whether they achieve their goals.

In doing so, they follow a logic that quality management according to ISO 9001 also follows: Plan, Do, Check, Act. Planning, acting, checking, and improving.

PDCA cycle with the four steps Plan, Do, Check, and Act for continuous process improvement

Plan: Develop the information security management system

Information security objectives are defined, concrete measures are decided upon, procedures and concepts for dealing with security deficiencies are developed, work instructions are issued, and an information security process is established. Everything is documented according to ISO 27001 guidelines. (Read the article: What is document control?)

Do: Implement information security in practice

The best management system is of little use if it ends up as a paper tiger. ISO 27001 regulates which measures are used to implement security concepts and instructions in practice. Implementation is the most difficult part for many organizations: it is easy to develop a system theoretically, but significantly more difficult to put it into practice.

Check: Verify whether you are achieving your security objectives

Regular review through risk analyses, internal audits, and management reviews is a fundamental part of an information security management system. It is not just about implementing measures effectively, but repeatedly checking whether they are achieving the intended goals.

Act: Continuously improve information security

In principle, every uncovered security deficiency is a gain for the organization. It is better to detect it yourself than to have third parties (e.g., cybercriminals) find it. A key part of an information security management system is therefore the handling of corrective actions and continuous improvement.

ISO 27001 specifies in Annex A which measures companies and organizations must implement as part of an information security management system. However, this catalog of measures is not exhaustive.

Organizations that align themselves with the BSI standard, for example, may implement different measures than those that strictly adhere to ISO 27001. In an information security management system, individual measures are developed and implemented for each company.

These measures are repeatedly reviewed and adapted in the event of changes (for example, new business processes and workflows).

How can I implement an information security management system?

Start with seven simple guiding questions that clarify the “what,” “where,” and “who”: What should be protected, where are the risks, and who is responsible? This quickly creates structure. You can then build up the implementation step by step – you can find a simple guide for this right here.

Guiding question What specifically needs to be done?
1. What do I want to protect? Identify your most important data, systems, and processes (e.g., customer data, IT systems, quotes).
2. Where are the dangers? Consider what can go wrong (e.g., data loss, hacker attacks, employee errors).
3. How do I want to protect it? Define simple protective measures (e.g., passwords, access rights, backups).
4. Who should do it? Assign clear responsibilities for each topic (e.g., IT, data protection, processes).
5. What rules should be established for this? Define simple, understandable rules (e.g., password policies, data handling, system access).
6. How do I monitor implementation? Regularly check whether the rules are being followed (e.g., quick checks, internal audits).
7. What do I want to achieve in the end? Set a clear goal (e.g., secure data, fewer risks, customer trust).

How can I have my information security management system certified?

An information security management system can be certified according to the international standard ISO 27001. To do this, contact a certification body, coordinate the process, and conduct an audit. This involves checking whether your system meets the requirements. Clarify the timeframe and costs in advance. You can find more about this in this article.

To have your information security management system certified, first select a suitable certification body. Then, prepare your company for the audit, during which it will be checked whether your processes, measures, and documents meet the requirements.

Important: Think beforehand about which parts of your company you want to have certified – this significantly influences the costs. Also, consider how far you have already progressed with implementation. The better prepared you are, the faster and easier the certification process will be.