What is an ISMS (Information Security Management System)?

An information security management system (ISMS) is a broad term that encompasses an organization’s information security policies, practices, and procedures regarding information security and how these are assessed, optimized, and implemented over time.

An ISMS aims to ensure all risks are mitigated and that all risk management processes work effectively. It’s more accurate to say that an ISMS provides a framework informed by the organization’s information security objectives, helps manage its cybersecurity efforts, and safeguards its information assets.

An ISMS typically uses a holistic, risk-based, flexible approach, making it useful for businesses of all sizes and across most sectors. Such a system can give organizations a competitive advantage by improving the visibility of the attack surface and providing a guide for asset management, risk management, and vulnerability remediation.

This post looks at everything you need to know to choose and implement an ISMS to protect data and ensure ongoing compliance with data protection legislation.

14 ISMS Security Control Families

An ISMS protects data confidentiality, integrity, and availability using security controls that help businesses prevent, detect, and respond effectively to cyber attacks.

As part of ISO 27001 standards, the international auditing standard (along with ISO 27002) offers best practice guidelines for setting up an ISMS. In total, there are 114 security controls organized into 14 control sets in Annex A of ISO 27001:

1. Annex A.5 — Information Security Policies

The benefit of documented information security policies is that they reduce the potential for security gaps and encourage a standardized approach to information security across the organization. They form the backbone of a firm’s approach to cybersecurity.

When everyone follows the same information security policies, it’s easier to manage an information system and identify and remediate issues. For this reason, policies need to be clearly documented and accessible throughout the organization.

Well-crafted information security policies also provide key statements that the organization can share with its key stakeholders, including customers or clients. Moreover, they make the firm’s security standards and compliance requirements clear to suppliers and business partners.

2. Annex A.6 — Organization of Information Security

Organization of information security covers the assignment of various responsibilities for specific tasks. This ensures that the organization has established an adequate framework that can implement and maintain the information security policies.

Additionally, this section covers policies surrounding mobile and remote working devices. Companies must ensure that all remote employees follow appropriate practices in line with the company’s policies.

3. Annex A.7 — Human Resource Security

Human resource security ensures that employees’ competencies and backgrounds are verified to the extent required by their access to high-risk information assets. Staff dealing with the most sensitive data will require background checks to ensure the ongoing safety of personal data and other sensitive information.

HR controls must be proportional to the likelihood and impact of threats since not every staff member will require the same access levels. The organization must also see that the checks are ethical, which may require internal audits or external verification to avoid prejudice or bias during the hiring process.

An excellent ISMS will put such checks at every stage of employment, reducing the risk of accidental exposure and insider threats. The ISMS must ensure security throughout the employee life cycle, which means it needs to consider the offboarding process to ensure that privileged access is revoked to avoid unauthorized access to confidential information.

4. Annex A.8 — Asset Management

Asset management helps organizations determine how they identify various information assets and define appropriate protection responsibilities for each asset. More importantly, organizations must identify specific assets that fall within the scope of or are critical to the ISMS.

Furthermore, classifying the criticality of each asset is important, as each asset will require a different level of protection and defense. Organizations must determine the appropriate level of protection for each asset based on its importance to operations.

Last, asset management concerns data handling to ensure that sensitive data isn’t subject to accidental or unauthorized disclosure, modification, removal, or destruction.

5. Annex A.9 — Access Control

Access control processes, whether digital or physical, aim to limit access to only those who need it, thus monitoring and gaining more control over an organization’s attack surface. It determines who has access to data, how much access they have, and how they can process, store, or transmit it.

How strict access controls need to be depends on the nature and extent of information security risks for the organization. A major DoD contractor, for example, is likely to require stringent access controls since they deal with classified and protected information, the compromise of which could affect national security.

Access control must be reviewed regularly to ensure that staff members have the relevant level of access and that this is revoked or reduced as soon as appropriate. For example, if the staff member moves to another department or leaves the organization, their access credentials must be revoked to prevent unauthorized access.

6. Annex A.10 — Cryptography

Cryptography is the encryption of sensitive data and is a key ISMS consideration that mitigates several critical security issues.

An ISMS will help manage encryption throughout the life cycle of sensitive data, determining how encryption is created and how that data is transmitted, stored, backed up, and, ultimately, securely destroyed. Implementing an ISMS will help an organization handle the security of the keys used to create the encryption since these are significant potential targets for hackers.

In addition to preventing the loss or compromise of such keys, the organization must have plans in place for what to do if the keys are compromised during a data breach, exposure, or cyber attack.

7. Annex A.11 — Physical and Environmental Security

Securing the physical security of the site where data is stored, transmitted, and processed also helps ensure data confidentiality, integrity, and availability is also a key element of an ISMS. The premises where data is stored must be protected against unauthorized access, damage, or interference.

A physical security perimeter might be the outer limits of the organization’s building and grounds, the door to a secure area, or the surface of a locked storage cabinet. Physical security controls may also include CCTV monitoring, badges, smart cards with different levels of access for visitors and staff, locked doors, and security guards.

8. Annex A.12 — Operations Security

Operations security within an ISMS ensures that facilities where the information is processed, are secure. This includes:

  • Operational procedures and responsibilities
  • Cyber defenses against malware and malware infection risk
  • System backups to prevent data loss
  • User logging and monitoring to document evidence when security incidents occur
  • Addressing requirements when protecting the integrity of operational software
  • Technical vulnerability management to prevent unauthorized access or vulnerability exploitation
  • Audit considerations to minimize audit disruptions

9. Annex A.13 — Communications Security

Communications security protects the information that is transmitted in networks. In other words, network security management would ensure that data confidentiality, integrity, and availability remain intact.

This would also cover data transferred within and outside of the organization to parties that would require access.

10. Annex A.14 — System Acquisition, Development, and Maintenance

An ISMS makes security a primary consideration in system acquisition, development, and maintenance throughout project life cycles to avoid vulnerabilities and non-compliance issues with legislation such as the Health Insurance Portability and Accountability Act (HIPAA) and The General Data Protection Regulation (GDPR). The business’s information security policy will help it make its security requirements clear for new systems.

11. Annex A.15 — Supplier Relationships

Businesses are more and more engaged with managing third-party and fourth-party risks. In an increasingly connected business ecosystem, with more third-party solution providers, such as Software-as-a-Service vendors that handle data storage and processing, businesses need to achieve greater visibility into their party attack surface, an objective addressed with proper Vendor Risk Management.

An ISMS will help manage supplier relationships throughout their life cycles — from selection to onboarding and offboarding. Using an ISMS will help a business manage the controls and policies appropriate to each supplier since it’s likely that not every supplier will require the same levels of security. If a business segments its supply chain risk, its ISMS will facilitate this.

The objective here is to establish an agreed-upon level of information security with third-party vendors or suppliers that are in line with the supplier agreements.

12. Annex A.16 — Information Security Incident Management

This essential part of information asset management helps businesses minimize the potential damage from an information security event by establishing incident management procedures that facilitate a prompt response.

Incident management means that each and every incident must be met with the same approach to ensure consistency, in regards to the lifecycle of the incident. Note that this does not mean all incidents are dealt with in the same manner, only in the approach in which they are dealt with.

13. Annex A.17 — Information Security Aspects of Business Continuity Management

A business impact analysis is required to determine the potential impact of business disruption in various forms and varying degrees of magnitude. The ISMS can help a business identify its resources, what it needs to mitigate such disruption, and how quickly and effectively the business will be able to return to functionality and maintain business continuity.

A business continuity plan should include systems that can be implemented before, during, or after a business disruption. With an established framework for information security management, key stakeholders can make quicker decisions, making business continuity action plans more effective and adaptable. A framework will also facilitate the ever-necessary maintenance of the business continuity plan, including regular resting and evaluation against key metrics and security objectives.

14. Annex A.18 — Compliance Controls

An organized, well-documented information security system will help any organization achieve the requirements of data protection legislation and submit the required information, whether during routine reviews or as a result of a data breach or cyber incident.

With the control and visibility offered by an ISMS, key stakeholders in compliance can perform cybersecurity audits to quickly identify areas leading to non-compliance, correct them promptly, and demonstrate what security measures the firm is taking to maintain or improve information security.

ISMS Implementation via the PDCA Model

The usual way to approach the implementation of an ISMS is to use a Plan-Do-Check-Act (PDCA) model, the core principle of which is continuous improvement of internal processes,  efficiency, and quality.

Project management software often applies the principles of PDCA to ensure that businesses keep monitoring and improving their processes to achieve their goals and determine new solutions to emerging issues.

1. PDCA Phase One - Planning

In the first phase of the PDCA process, the organization observes its systems and analyzes data to identify the causes of problems. It then determines the resources available to deal with the issues and which methods should be employed.

At this stage, the business creates an action plan for mitigating or remediating the problems.

2. PDCA Phase Two - Doing

At this stage, the plan is enacted. It’s also the time to make adjustments where necessary and to consider the effectiveness of those changes to the original action plan to see if it is working and, if so, to what extent.

3. PDCA Phase Three - Checking

During the checking phase, the organization performs an audit following the implementation of the action plan to determine whether or not it has achieved its security objectives.

The individual or team responsible for checking must study the results of the action plan to decide whether to repeat the cycle of planning and doing.

4. PDCA Phase Four - Acting

Having checked or studied the action plan results so far, the organization can determine whether it should back full implementation or whether changes need to be made by repeating the PDCA process.

If the original security objectives are not being achieved, the firm should return to the PDCA process's planning stage. If the current action plan meets the business goals, the PDCA team can use the process again if a new issue arises.

Benefits of PDCA for ISMS Implementation

The strength of the PDCA model for an ISMS process is that it helps organizations adapt and respond to unknown issues that arise regarding a project. This is particularly useful in cybersecurity, where organizations must adapt to address unknown and emerging threats.

A limitation of the model is that it is primarily reactive rather than proactive, so the organization deals with problems when they arise rather than focusing on solutions that anticipate issues and aim to prevent them from occurring. Still, it’s a useful approach to implementing an ISMS and is used successfully by organizations worldwide.

Benefits of an ISMS

An ISMS system helps a company organize, implement, and maintain effective cybersecurity throughout the organization. As such, they have many benefits, including the following:

Better Visibility of Risks

Having a risk-based approach, an ISMS immediately improves a firm’s security by making it aware of its security posture and its primary threats in the current cyber threat landscape. A business cannot prepare for a cyber attack or incident without this information.

A risk assessment identifies the current threats and the current level of preparedness. Risk analysis identifies which threats are most likely and potentially damaging. With sound information relating to a business’s risk profile, it can prioritize the implementation of the most relevant digital and physical protections for its sensitive data.

An ISMS clarifies what needs to be done to protect information. Knowing the current state of cybersecurity is a major part of protecting information since it allows the organization to understand its strengths and weaknesses and prioritize vulnerability remediation rather than using a scattergun approach.

Improved Security

An ISMS improves security in several ways. First, having an organized system to defend against cyber threats makes it easier and quicker to secure an entire network. Internal or external IT security staff benefit from an ISMS because they can use a systematic approach to identify and remediate vulnerabilities.

With an ISMS, cybersecurity personnel can protect multiple devices all at once by performing system-wide upgrades, for example, in a way that is impossible with a disorganized, entirely decentralized system. An ISMS ensures that a business can protect its information assets and has a robust system in place to help the firm grow safely and stay ahead of new information security risks.

Achieve ISO 27001 Certification

ISO/IEC 27001, the international standard for information security created by the International Organization for Standardisation (ISO), sets out what is required for an ISMS to be considered effective.

In short, a business will not achieve ISO 27001 without an ISMS.

An effective ISMS will ensure that the business:

  • Understands its security posture, the cyber threat landscape, and the most significant risks to the organization’s information assets
  • Has a record of the security measures it has used to defend against security threats and for vulnerability mitigation
  • Maintains an incident response plan for the security threats it is likely to face
  • Can identify the stakeholders in information security and their roles and responsibilities


Using an ISMS demonstrates to staff, customers, and partners that an organization takes cybersecurity seriously. In a similar way to how standard security ratings facilitate discussions about cybersecurity performance, using an ISMS that aligns with frameworks like ITIL, COBIT, and ISO 27001 helps individuals and businesses appreciate what the levels of security achieved and required.

Saying that your business takes security measures seriously is one thing, but adhering to a recognized cybersecurity standard removes uncertainty regarding security posture and third-party compliance requirements.

By following the security controls in ISO 27001 and the best-practice guidelines from ISO 27002, a firm can vastly improve its IT security and cyber resilience. This can help it defend against cybercriminals and attain contracts from partners in a world increasingly aware of the importance of including third-party risk management requirements in frameworks like ISO 27001.

Achieving the ISO 27001 standard requires robust information security risk assessments, so an ISMS that has been audited and has attained this recognized certification underlines the firm’s ability to understand, mitigate, and cope with cyber threats via appropriate security controls. A certified ISMS strengthens a business’s existing partnerships and relationships with customers by being upfront about how it protects information assets from cyber threats.

Incident Response Planning

ISO 27001, used by many ISMS providers, supports creating and maintaining robust incident response plans. With increasing numbers of cyber attacks with increasing sophistication, it’s wise to prepare to deal with the fallout of a cyber attack or data exposure.

Being prepared for a data breach will allow the organization to contact the relevant people quickly, identify and contain the problem more readily, and then get on with the process of vulnerability remediation and informing the press, law enforcement, and stakeholders to ensure the organization meets compliance requirements, such as those for the General Data Protection Regulation (GDPR).

Measuring Effectiveness

An ISMS — especially one that uses a standardized system of security measures, such as ISO 27001 — can aid discussion and planning regarding the measures implemented to protect the firm’s information systems.

A benchmark or clear standards as provided by an ISMS, can be used to engage everyone from the board level to part-time contractors to understand the importance of cybersecurity and its current state within the company.

Cost Reduction

An effective ISMS helps businesses reduce spending in several ways. By making a firm’s response to the cyber threat landscape more comprehensive, the firm is less likely to face a cyber attack. If a cyber attack does occur, the ISMS will help the firm organize its responses, reducing the time and cost of identifying, remediating, and reporting the cyber attack.

Responding promptly following a data breach can help businesses avoid the potentially significant costs of business disruption, lost customers, reputational damage, system repair, and compliance issues. Implementing an ISMS also demonstrates to insurance companies that the firm is proactive about cybersecurity, which can reduce cyber insurance premiums.

Development of a Cybersecurity Culture

A company with a mature cybersecurity culture appreciates that cybersecurity is not an IT issue but an operational concern that affects and is the entire organization's responsibility. Everyone is a stakeholder in the protection of sensitive information.

An ISMS uses a risk-based and all-inclusive approach that fosters engagement with cybersecurity throughout an organization. Therefore, a business in which all employees participate in cybersecurity and maintain daily best practices, such as basic cyber hygiene, will be supported by an ISMS.

Adapting to Emerging Threats

An effective ISMS helps a business gain visibility of its attack surface and perform vulnerability mitigation and remediation so that it has the resources to identify and respond to new threats. It also ensures that there is an incident response plan in place and that key stakeholders in data security are primed and ready should a cyber incident occur.

The best ISMS systems are not only comprehensive but also proactive. This is essential considering today’s threat-heavy cyber landscape. A modern ISMS will adapt to organizational changes, such as business processes and technology developments, changes in the business ecosystem, and the latest security threats and vulnerabilities.

An ISMS is not a tool that counters cyber attacks but an entire framework that helps make an organization’s response to infosec issues faster and more effective. A business with an ISMS is more likely to understand its threats, resources, and business processes to be more flexible and able to deal with emerging threats on the fly.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?