ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyzes and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts.
ISO/IEC 27001 is derived from BS 7799 Part 2, published in 1999. BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005. It was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping the PDCA concept.
An Information Security Management System (ISMS) is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives (ISO/IEC 27000:2014).
It encompasses people, processes and technology, recognizing that information security is not just about antivirus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritized, integrated and cross-referenced to ensure overall effectiveness. An ISMS helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.