What is an ISMS and 9 reasons why you should implement one

A version of this blog was originally published on 15 August 2017.

We often talk about the benefits of ISO 27001 certification but don’t always expand on the more immediate benefits associated with implementing an ISMS (information security management system).

We aim to put that right in this blog, explaining how an ISMS works and the ways it helps your organisation.

What is an ISMS?

  1. centrally managed framework for keeping an organisation’s information safe.
  2. A set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.
  3. Either applied to the entire organisation or only a specific area where the information it seeks to protect is segmented (the scope).
  4. Includes not only technical controls but also controls to treat additional, more common risks related to people, resources, assets and processes.
  5. Based on a risk assessment across the organisation that considers internal and external risks. This means all risks are assessed, analysed and evaluated against a set of predetermined criteria before risk treatments (controls) are applied. Controls are applied based on the likelihood and potential impact of the risks.
  6. A framework that helps you make appropriate decisions about the risks that are specific to your business environment.
  7. Dependent on support and involvement from the entire business – not just the IT department – from the cleaner right up to the CEO.
  8. Not an IT function but a business management process.
  9. An ISMS can be certified to the international best-practice information security standard ISO 27001. Achieving accredited certification to the Standard demonstrates to your clients, customers, regulators and stakeholders that your organisation is following information security best practice and your data is sufficiently protected.

Where does ISO 27001 fit in?

The best practices for an ISMS are laid out in the ISO 27001 standard, which covers the compliance requirements. These are expanded upon in ISO 27002, which covers the guidelines and general principles for implementing and maintaining those requirements.

As such, certifying to the Standard ensures that your organisation’s security measures are as effective as possible.

Why implement an ISMS?

An ISO 27001-compliant ISMS does more than simply help you comply with laws and win business. It also:

  1. Secures your information in all its forms: An ISMS helps protect data in all its forms, including digital, paper-based and in the Cloud.
  2. Increases your resilience to cyber attacks: Implementing and maintaining an ISMS will significantly increase your organisation’s resilience to cyber attacks.
  3. Provides a centrally managed framework: An ISMS provides a framework for keeping your organisation’s information safe and managing it in one place.
  4. Creates a new way of thinking about information security, helping your employees become more aware of their responsibilities and the steps they must take to keep information secure.
  5. Offers organisation-wide protection: An ISMS protects your entire organisation from technology-based risk and other, more common threats, such as poorly informed staff and ineffective procedures.
  6. Helps you respond to evolving security threats: Risks are continually evolving, but an ISMS reduces the threat by constantly adapting to changes both in the environment and inside the organisation.
  7. Reduces costs associated with information security: The risk assessment and analysis approach of an ISMS means organisations can reduce spending on defensive technology that might not work.
  8. Protects the confidentiality, integrity and availability of data: An ISMS offers a set of policies, procedures and physical controls to protect the confidentiality, integrity and availability of information.
  9. Improves company culture: ISO 27001’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.

Is ISO 27001 compliance a legal requirement?

Although there are no laws requiring organisations to implement ISO 27001, compliance is often essential for an organisation to succeed.

One reason for this is the increasing demand from suppliers and clients for the organisations they work with to demonstrate effective security. Certifying to the Standard enables organisations to do this, giving them a competitive advantage.

Another reason is that the Standard can help organisations comply with the GDPR (General Data Protection Regulation), NIS (Network and Information Systems) Regulations and other information security laws.

Neither the GDPR nor NIS Regulations specify how to meet their requirements, but their similarities to ISO 27001 mean that many requirements can be met by following the Standard’s instructions.

Get help with your ISMS

Implementing an ISMS can be hard work, and it will involve your whole organisation. The project can take anywhere from three months to a year, and however you proceed, you need to factor in your organisation’s size, the threats it faces and the measures it already has in place.

Our ISO 27001 Certified ISMS Lead Implementer course teaches you everything you need to know to put in place an effective ISMS, as real-world practitioners show you how to tackle an ISMS project from start to finish.

Not ready for a training course?

If you want to learn more about implementing an ISMS but aren’t ready to commit to a training course, you might prefer our free guide, ISO 27001: The Facts.