An Information Security Management System is a set of policies and procedures. It systematically manages an organization’s sensitive data. Its goal is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
An ISMS typically addresses employee behavior and processes as well as data and technology. It can be targeted towards a particular type of data like customer data. It can also be implemented in a comprehensive way that becomes part of the company’s culture.
ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions. It includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security.
Influenced by the organization’s needs and objectives, security requirements, the processes employed, and the size and structure of the organization.
Expected to change over time.
A holistic approach to managing information security – confidentiality, integrity, and availability of information and data.
ISO/IEC 27001:2013
Leading International Standard for ISMS. Specifies the requirements for establishing, implementing, maintaining, monitoring, reviewing and continually improving the ISMS within the context of the organization. Includes assessment and treatment of InfoSec risks.
Best framework for complying with information security legislation.
Not a technical standard that describes the ISMS in technical detail.
Does not focus on information technology alone, but also other important business assets, resources, and processes in the organization.