Safely move on from COVID-19

Information Security Management System (ISMS)


What is an Information Security Management System (ISMS)?

Safeguarding your organisation’s information assets

An Information Security Management System, or ISMS, does exactly what it says. It’s a comprehensive, practical system that helps you manage the security of your organisation’s information. An effective ISMS will:

  • Safeguard your organisation’s information assets
  • Make it easy to show your customers and other stakeholders:
    • How secure those information assets are
    • How seriously your organisation takes infosec
  • Constantly evolve to keep up with:
    • New infosec risks and opportunities
    • Your organisation’s development and growth
Information Security management System - ISMS

To achieve ISO 27001 compliance or certification, you need a fully-functioning ISMS that meets the standard’s requirements. It will define your organisation’s information assets, then cover off all the:

  • Risks your organisation’s information assets face
  • Measures you’ve put in place to protect them
  • Guidance to follow or actions to take when they’re threatened
  • People responsible for or involved in every step of the infosec process

It should also meet your organisation’s unique needs, taking account of:

  • How your organisation, its stakeholders and customers work in practice
  • What sort of risk appetite you and they have
  • The wider contexts that affect you all

Most of our customers start with ISO 27001. An ISMS can also help you achieve other standards like GDPR and the NIST Cybersecurity Framework. Our platform supports those and many others. And it’ll accelerate you through everything we’ve listed above, and more.

Read our free guide to achieving ISO 27001 first time

The seven elements of an effective ISMS

1. ISMS implementation resource

Creating or upgrading an ISMS can be a complex, challenging process. To navigate it successfully, you’ll need a clearly defined manager or team with the time, budget and knowhow needed to make your ISMS happen.

Our Assured Results Method guides you all the way to first time ISO 27001 compliance or certification success. And it’s easy to migrate work you’ve already done into our platform.

2. Systems and tools for implementation and ongoing management

An effective ISMS draws on and manages many different resources. They can include your organisation’s software and hardware, its physical infrastructure and even its staff and suppliers. You’ll need the right systems and tools to guide and oversee them all.

Our platform includes a wide range of bespoke support systems, ranging from our context-specific Virtual Coach to a full suite of implementation management tools.

3. Actionable policies and controls that will work in practice

Your ISMS will tell your colleagues, suppliers and other stakeholders how to protect your information assets and what to do when they’re at risk. That needs to be defined in clear, widely understood and easy to act on policies and controls.

Our pre-loaded Adopt, Adapt, Add Content gives you actionable policies and controls that take you 77% of the way to your goal before you’ve even begun.

4. Staff communications and engagement mechanisms

Your organisation needs to live and breathe your ISMS. So your colleagues need to know about it, understand why it’s so important and have a clear sense of their infosec responsibilities. If it just sits there gathering dust, it won’t protect anything!

Our Policy Packs make it easy to share specific policies and controls with everyone who needs to know about and follow them, across your organisation and beyond it.

5. Systems and tools for supply chain management

Your ISMS will extend beyond your organisation. Your suppliers probably hold or handle valuable information on your behalf, so you need to make sure they comply with it too. And you’ll need to protect yourself against any issues or challenges they could create.

Our Accounts feature gives you everything you need to assess your supply chain infosec needs, then put the right precautions in place to meet them.

6. Certification activity and working with external auditors

If you’re going for full ISO 27001 certification, you’ll need to find a properly-accredited independent certification body. They’ll take you through a two-stage certification process. Then they’ll return for regular update audits during the three-year life of your certification.

We can guide you all the way to ISO 27001 certification, make showing your auditors how effective your ISMS is a simple task and help you achieve recertification too.

7. Ongoing ISMS operation and improvement resource

An effective ISMS is always on and always alert. It evolves to match its organisation’s growth and development, and meet constant new infosec challenges. And it quickly picks up and corrects any of its own glitches or errors.

We provide a full suite of ISMS management and improvement tools, plus guidance on everything from involving your senior management to reporting ISMS issues.

See our platform in action

Safeguarding your customers

An effective ISMS doesn’t just protect you. It safeguards your customers too. The higher you move up the security scale, the more you’ll impress your current and potential ones.

Our platform will accelerate your organisation to level four or five, with certainty. We can help you move beyond this scale too, as and when you need to.


What is an Information Security Management System (ISMS)?
An Information Security Management System (ISMS) is a means of safeguarding important information, using a combination of processes, technology and people. An ISMS will help you protect and manage your organisation’s information through effective risk management. An ISMS also makes it easy to present to customers and interested parties how secure your information assets are while demonstrating to them how seriously you take your information security.
How does an ISMS protect information?
Having an ISMS complies with a variety of laws and regulations including GDPR (General Data Protection Regulation). An ISMS will focus on three key aspects of information.
  • Confidentiality: Information is not available or disclosed to people, entities or processes that are not authorised.
  • Integrity: Information is complete, accurate and protected from any corruption.
  • Availability: Information is accessible and can be used by authorised users.
What are the benefits of an ISMS?
An ISMS compliant with the ISO 27001 standard can do more than comply with laws and regulations such as GDPR. It can play a pivotal role in attracting new business and opportunities. An ISMS can also:
  • Secure all forms of information: Protect and manage your information whether it is paper-based, digital or stored on the cloud.
  • Keep up with information security risks and opportunities: An ISMS will increase the resilience of your organisation against cyber attacks.
  • Manage all of your information in one place: An ISMS provides a centralised point of contact with your organisation’s information where it is all safe and secure.
  • React to ever-evolving threats: An ISMS will reduce the threat of evolving risks that can affect your organisation internally or externally.
  • Protect your information’s confidentiality, availability and integrity: Your ISMS will have a set of policies, procedures and controls to protect the confidentiality, availability and integrity of your organisation’s information.
  • Make information security part of your organisation’s culture: Your ISMS will be about a whole lot more than IT. Help other members of your management and staff to understand risks and take on your organisation’s controls in their everyday work.
What makes up an effective ISMS?
There are seven elements that make an effective ISMS for your organisation:
  • Implementation resource: You will need a clearly defined manager or team with the time, budget and knowhow needed to make your ISMS happen.
  • Systems and tools: These will help you oversee your organisation’s software and hardware, its physical infrastructure as well as staff and suppliers.
  • Policies and controls: These tell your colleagues, suppliers and other interested parties how to protect your information assets and what to do when they’re at risk.
  • Comms and engagement tools: Your colleagues will need to know about and understand your ISMS and have a clear sense of their responsibilities as part of your organisation.
  • Supply chain management tools: Your suppliers probably hold or handle valuable information on your behalf, so it is important to make sure they comply with your ISMS too.
  • Audit guidance and support: Whether your organisation is going for compliance or certification, your ISMS will need to successfully undergo ongoing audits.
  • Operation and improvement resources: Your ISMS needs to evolve with your organisation, meet constant new infosec challenges and stay glitch or error-free.
How much does an ISMS cost?
The cost of your ISMS will vary with:
  • Your objectives
  • Your ISMS’ scope
  • The size and nature of your organisation
  • Your preferred ways of working
  • Quite a few other factors!
That’s why we only give quotes once we’ve found out who you are and what you need to achieve.
Why invest in an ISMS?
An effective ISMS will safeguard your organisation and help it grow. It can deliver a surprisingly high return on investment. Our “Building the Business Case for an ISMS” white paper shows you how to calculate your organisation’s ISMS RoI. More and more customers are looking for suppliers who take information security seriously. ISO 27001 compliance or certification is becoming a basic condition of entry. That’s because they understand just how damaging infosec incidents can be. On average, security breaches cost large organisations between £1.46m and £3.14m, and small ones between £75k and £311k. Under the EU GDPR regulations, organisations can face fines up to 4% of global turnover. The reputation hit can be very big too. That’s why an ISMS can be such a good investment. Building your first ISMS or upgrading your existing one will:
  • Give your customers and stakeholders infosec certainty
  • Safeguard your organisation’s brand, results and stakeholders
  • Help you win new business, enter new markets and grow
In the longer term, you’ll need to evolve your ISMS, maintaining your existing compliance or certification while possibly going for new standards. In general, we find our longer-term customers focus on:
  • Bringing down costs while increasing efficiency
  • Showing the real value of their work while reducing admin drudgery
  • Making it easy for users to understand and comply with their ISMS
We’re more affordable than you’d think
Copy link
Powered by Social Snap