The foundation

What an ISMS is, and what it isn't

An information security management system is not software and not a binder of policies. It is the organised way your business decides what to protect, protects it, and proves to itself that the protection works. ISO 27001 exists to certify exactly that.

The anatomy

The four working parts of an ISMS

3D illustration of a live risk picture

A live risk picture

A recorded, owned view of what could hurt your information and how much you care: the input every other part of the system consumes.

3D illustration of deliberately chosen controls

Controls chosen on purpose

Security measures selected because a risk, contract or law demands them, recorded in the Statement of Applicability, and operated as routine work.

3D illustration of working documentation

Documents people actually use

Policy, process and records that describe how things really run. If the document and the behaviour disagree, an ISMS fixes one of them.

3D illustration of the audit and improve loop

A loop that turns

Internal audit finds what drifted, management reviews what matters, corrective actions close, and the system is measurably better each year. This loop is what auditors certify.

Common confusions

An ISMS is not the same as having antivirus and MFA (those are controls; the ISMS is what chose them). It is not a compliance platform subscription (that is tooling). And it is not the certificate on the wall: the certificate is a certification body's statement that the ISMS was real when they audited it. The standard behind all of this is explained on what is ISO 27001.

Why it matters commercially

The ISMS is what your customers are really asking about

When a security questionnaire asks how you manage risk, who owns security, and how incidents are handled, it is describing an ISMS clause by clause. Building one properly answers the questionnaires forever; certifying it stops them being asked.

Quick answers

ISMS questions, answered

What does ISMS stand for?

Information security management system: the organised way a business manages its information security, spanning risk assessment, chosen controls, documentation, and the audit-and-improve loop that keeps it all real. ISO 27001 is the international standard an ISMS can be certified against.

Is an ISMS a piece of software?

No. An ISMS is a management system: decisions, documents, controls and routines. Software can help run one, and a spreadsheet can too. Vendors selling 'an ISMS' are selling tooling for the system, not the system itself.

Can we have an ISMS without ISO 27001 certification?

Absolutely, and plenty of well-run organisations do. Certification adds an independent assessment of the system, which is what customers, insurers and tenders trust. If nobody external needs the certificate, the ISMS still pays for itself in fewer surprises.

What documents does an ISMS need?

The ISO 27001 mandated set is compact: scope, policy, risk methodology and results, the Statement of Applicability, objectives, competence evidence, internal audit and management review records, and corrective actions. Everything beyond that should exist only because your operation genuinely needs it.

The mandatory documents

3D rocket illustration for booking a free ISO 27001 scoping call

Ready to build one?

Have your ISMS built by people who operate them

A free 45 minute scoping call maps what an ISMS looks like for your organisation and what certifying it would cost.