What Is an ISMS? — Information Security Management System in Plain English

What an ISMS Actually Is

Think of an ISMS as the operating system for how your organisation handles information security. It is not a single document or a single tool — it is the entire ecosystem of policies, processes, people, technology, and evidence that together ensure your organisation manages security risks systematically rather than reactively.

An ISMS answers four questions continuously: What could go wrong? (risk assessment), What are we doing about it? (risk treatment and controls), Is it working? (monitoring, audit, review), and How do we improve? (corrective actions, management review).

The Core Components

• Scope: What business functions, systems, locations, and data flows are covered by the ISMS. Not everything has to be in scope — but what is in scope must be managed rigorously.
• Information Security Policy: The top-level statement of management commitment to information security. Short, signed by leadership, and referenced by every other policy.
• Risk Assessment: A formal methodology for identifying risks, assessing their likelihood and impact, and deciding how to treat each one.
• Statement of Applicability (SoA): A document listing all 93 Annex A controls and stating which apply, which do not, and why. This is one of the most important audit artefacts.
• Controls: The technical and organisational measures you implement to treat identified risks — access controls, encryption, incident response, vendor management, etc.
• Internal Audit: A periodic, independent review of whether your ISMS is operating as documented.
• Management Review: A formal meeting where leadership reviews the ISMS performance, risk posture, and improvement opportunities.

The PDCA Cycle — How an ISMS Operates

An ISMS runs on the PDCA (Plan-Do-Check-Act) cycle — an iterative management method for continuous improvement:

• Plan: Define the ISMS scope, conduct risk assessment, set objectives, and design controls. This is where you figure out what needs protecting and how.
• Do: Implement the controls, write policies and procedures, train staff, and put the ISMS into operation. This is where theory becomes practice.
• Check: Monitor and measure the effectiveness of controls, conduct internal audits, and review performance metrics. This is where you find out if it is actually working.
• Act: Address findings from audits and reviews, implement corrective actions, and feed lessons learned back into the next cycle. This is where the ISMS gets better.

The cycle runs continuously. Most organisations run it in annual cycles aligned with their certification audit schedule, but the monitoring and improvement activities happen throughout the year.

Defining Your Scope

The ISMS scope defines the boundaries of what the management system covers. For a typical SaaS startup, the scope might be: "The development, hosting, and delivery of the [Product Name] SaaS platform, including the associated cloud infrastructure, corporate IT systems, and supporting business processes operated from [Location]."

Risk Assessment and Treatment

The risk assessment is the engine of the ISMS. It identifies what could go wrong, how likely it is, and how severe the impact would be. For a typical startup, expect 40-80 identified risks across categories like data breaches, unauthorised access, service disruption, vendor failures, and human error.

Each risk is then treated through one of four options: mitigate (implement controls to reduce likelihood or impact), accept (acknowledge the risk and document the decision), transfer (shift the risk to a third party, e.g. insurance), or avoid (eliminate the activity that creates the risk). For the full risk assessment methodology, read our Risk Assessment in ISO 27001 guide.

Controls and Evidence

Controls are the measures you implement to treat identified risks. ISO 27001:2022 defines 93 controls across four categories: Organisational (37), People (8), Physical (14), and Technological (34). Not all 93 apply to every organisation — your Statement of Applicability documents which apply and which do not.

For each control that applies, you need three things: a policy or procedure that documents what the control is, technical implementation that enforces it, and evidence that it is operating. Auditors test all three. A policy without implementation is a finding. Implementation without evidence is also a finding. For the complete control breakdown, see our ISO 27001 Annex A — 93 Controls Explained guide.

Audit and Review

An ISMS requires two types of periodic review:

• Internal Audit (Clause 9.2): You (or an independent internal auditor) review the ISMS against its own documented requirements and ISO 27001. The internal audit must be conducted at least once before the certification audit. Findings are documented and corrective actions tracked.
• Management Review (Clause 9.3): Leadership formally reviews the ISMS performance — risk posture changes, audit findings, incident trends, resource needs, and improvement opportunities. This meeting must be documented with minutes and action items.

What an ISMS Is Not

• Not a product. You cannot buy an ISMS off the shelf. GRC platforms help you manage it, but the ISMS is the system itself — the policies, processes, people, and evidence.
• Not a document. The ISMS includes documents (policies, procedures, risk registers), but it is not defined by them. An ISMS with perfect documentation but no operational controls is not an ISMS.
• Not a one-time project. The ISMS runs continuously. It is never "done." The PDCA cycle ensures it improves with every iteration.
• Not just IT security. An ISMS covers people (training, HR security), physical security (office access, clean desk), and organisational controls (vendor management, business continuity) — not just firewalls and encryption.