What is an Information Security Management System (ISMS)?

Information Security Management System

A management system is a set of processes to achieve certain objectives. The scope of the management system can relate to one site or more multiple sites of the organization – and it can cover all or some of the processes of the company. Now an information security management system, or in short an ISMS, is a management system which focuses solely on process building that will safeguard an organization’s information.

ISO 27001 and ISO 22301 are related because having a business continuity plan is important to have good information security. 

ISO 27001 follows the HLS (high-level structure) as followed by other standards, including ISO 9001, ISO 14001 and ISO 45001. This means that ISO 27001:2022 has 10 Clauses.

The official definition of an ISMS is “policies, procedures, guidelines resources and activities to be managed by an organization in the pursuit to manage its information assets”. 

Most importantly, when implementing a management system, we have to focus on continual improvement. 

Some of the benefits of implementing an ISMS are:

The above benefits are critical to sustaining a growing business. If any of the above is missing; it really is a big problem. A car has “breaks” so that you can drive faster – knowing that you can slow down whenever you want to.

Now let’s talk about the Clauses of the Standard. Starting from Clause 4. Clauses 1-3 have no requirements to implement. 

Context of Organization 

The stakeholders (internal and external) and their needs. This is what will give us critical information on how to build the system – to meet the requirements of each of these stakeholders. For example, if there any regulatory requirement – we might need to report the information is a certain way. 

Scope of Certification

For ISO 27001 this relates mostly to the control that will not be included in Annex A. The organizational boundaries of the scope of certification are:

  • Key processes
  • Departments
  • Locations 
  • Stakeholders  

Getting the scope of certification accurately is important because:

  • It helps to define the audit objectives
  • Gives clear guidelines on what can the auditee say that is included in their ISO certification within their marketing material 

The scope of certification can be extended or changed with time. A recent change in the existing processes can trigger an initialisation of a change in the audit scope. 

Naturally, if the scope of certification is changed, the certification body, the auditor and the auditee would need to sign off on this change. Upon the change of the scope of certification, the duration and other audit objectives would need to be revisited. 


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.


The goal here is to make sure that leaders are behind the idea of implementing an ISMS. Leadership must keep driving the message that IS is important. By following procedures, and ensuring that the right people have the right roles and responsibilities.

Leaders sign the IS policy to show commitment. Verbalizing the importance of the ISMS by the leadership is important as well. Just signing a paper it is not enough – having a culture of IS requires more effort than that.

Actions to address risks and opportunities for ISO 27001

Risk management should not be done in isolation. By seeing corporate strategies, goals and objectives, innovation of the product – where is the company going? This adds flavor to the context of the organisation and is critical when doing a risk assessment. Just considering the technology and IT systems is a poor way of implementing ISO 27001 within your organization.

Risk assessment approach:

  1. Identify a methodology
  2. Determine the risk acceptance criteria
  3. Identify the acceptable levels of risk

If you don’t need to, don’t use a complex mathematical model. If you want to use a rating from 1 to 9 to assess impact or likelihood – go for it. The important thing is to prioritize your risks. Choose the right methodology that you need according to the costs and availability of of supporting software tools.

This is a brainstorming exercise where you are saying what might happen. Applying Murphy’s law, if you may. You might also want to consider the combination of multiple events.

Analyzing the risk is the process of determining the impact and the likelihood.

Evaluating the risk is identifying the priorities to give to different risk treatments and which ones are we treating first.

Annex A

This is a list of 93 controls that are available within the ISO 27001:2022 standard. These are split into different sections:

  • Organizational (37)
  • People (8)
  • Physical (14)
  • Technological (34)

If any of the above are not going to be used, a justification will be needed. The statement of applicability will define which clauses were included, and why.

WANT  TO LEARN MORE ABOUT THE Information Security Management System of ISO 27001?

As an ISO management system consultant Luke Desira will make it his personal mission to put your company on a class above all others! Read more about ISO and other content related to business process transformation here.

If you are on the hunt on information on how to get certified, have a look at this guide on how to get ISO certified with Luke Desira, and find out about the 10 pitfalls that you may encounter during the implementation process of ISO Certification.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

Scroll to Top