Implementing and maintaining an ISMS

An Information Security Management System (ISMS) describes and demonstrates your organisation’s approach to information security and privacy. It helps identify and address the threats and opportunities around your valuable information and any related assets. That protects your organisation from security breaches and shields it from disruption if and when they do happen.

It contains policies, procedures and controls that are designed to meet the three objectives of information security:

    • Confidentiality: making sure data can only be accessed by authorised people.
    • Integrity: keeping data accurate and complete.
    • Availability: making sure data can be accessed when it’s required.

To achieve ISO 27001 compliance or certification, you need a fully functioning ISMS that meets the standard’s requirements. It will define your organisation’s information assets, then cover off all the:

    • Risks your organisation’s information assets face
    • Measures you’ve put in place to protect them
    • Guidance to follow or actions to take when they’re threatened
    • People responsible for or involved in every step of the infosec process

Key benefits of implementing ISMS

Secures your information in all forms – ISMS helps protect all forms of information, including digital, paper-based, intellectual property, company secrets, data on devices and in the cloud, hard copies and personal information.

Increase your attack resilience – Implementing and maintaining an ISMS will significantly increase the organisation’s resilience to cyber attacks.

Reduce information security costs – Due to the risk assessment and analysis approach of an ISMS, organisations can reduce costs spent on indiscriminately adding layers of defensive technology that might not work.

Respond to evolving security threats – Constantly adapting to changes both in the environment and inside the organisation, an ISMS reduces the threat of continually evolving risks.

Improve company culture – The Standard’s holistic approach covers the whole organisation, not just IT, and encompasses people, processes and technology. This enables employees to readily understand risks and embrace security controls as part of their everyday working practices.

Offers organisation wide protection – ISMS protects your entire organisation from technology-based risks and other, more common threats, such as poorly informed staff or ineffective procedures.

Provides a central framework – ISMS provides a framework for keeping your organisation’s information safe and managing it all in one place.

Protects confidentiality of data – ISMS offers a set of policies, procedures, technical and physical controls to protect the confidentiality, availability and integrity of information.

5 steps on how to implement ISMS

Most organisations either follow a plan-do-check-act process or study the ISO 27001 international security standard which effectively details the requirements for an ISMS. Below are five steps to illustrate how an ISMS should be implemented:

    1. Define the scope and objectives – Determine which assets need protection and the reasons behind protecting them. Consider the preference of what the clients, stakeholders and trustees want to be protected. Company management should also define clear-cut objectives for the areas of application and limitations of the ISMS.
    2. Identify assets – Identify the assets that are going to be protected. This can be achieved by creating an inventory of business-critical assets including hardware, software, services, information, databases and physical locations by using a business process map.
    3. Recognise the risks – Once the assets are identified, their risk factors should be analysed and scored by assessing the legal requirements or compliance guidelines. Organisations should also weigh the effects of the identified risks. For example, they could question the amount of impact it would create if the confidentiality, availability or integrity of information assets is breached, or the probability of that breach’s occurrence. The end goal should be to arrive at a conclusion outlining which risks are acceptable and which must be tackled at all costs due to the potential amount of harm involved.
    4. Identify mitigation measures – An effective ISMS not only identifies risk factors but also provides satisfactory measures to effectively mitigate and combat them. The mitigation measures should lay out a clear treatment plan to avoid the risk altogether. For example, a company trying to avoid the risk of losing a laptop with sensitive customer data should prevent that data from being stored on that laptop in the first place. An effective mitigation measure would be to set up a policy or rule that doesn’t permit employees to store customer data on their laptops.
    5. Make improvements – All the previous measures should be monitored, audited and checked repeatedly for effectiveness. If the monitoring reveals any deficiencies or new risk management factors, then restart the ISMS process from scratch. This enables the ISMS to rapidly adapt to changing conditions and offers an effective approach to mitigating the information security risks for an organisation.


1. Continually test and review risks

ISMS was built to address risks that have been identified, but the threat landscape is constantly evolving. Therefore, regularly monitor the risks the organisation can face to ensure that your defences are adequate. This also includes vulnerability scans and other tools that can automatically spot new risks. Rigorous tests on a regular basis must be performed.

To remain compliant, ISO 27001 risk assessment must be completed at least once a year or when there is a substantial change made to the organisation.

2. Keep documentation up to date

The policies and processes written during the initial implementation will have been created specifically for the way your organisation operated at that time. However, as operations evolve, it is important documentation is taken account. For example is there a significant change in the way you perform certain actions? Have you undertaken new activities involving sensitive data? Has the physical premises changed in any way? If the answer to any of those questions is yes, then you must amend your documentation accordingly.

3. Perform internal audits

An internal audit provides a comprehensive review of the effectiveness of your ISMS. Alongside a risk assessment and a documentation review, it will help you assess the status of your ISO 27001 compliance. Part of the initial certification process, an internal audit would have been done which just needs to be updated.

4. Keep senior management informed

Remedying vulnerabilities will take time and resources, which requires board-level approval, therefore keeping senior management informed of both activities maintaining the ISMS and the benefits that it has brought.

5. Establish a regular management review process

Involving stakeholders in the review process, ensures opportunities for improvement or necessary changes that must be made are discussed. There is no requirement for how often the management review should take place, but it should be at least once a year and ideally every six months.

6. Stay on top of corrective actions

Regular monitoring the effectiveness of the organisations ISMS, where corrective actions should be performed to prevent weaknesses from spilling over into major problems. Some of these changes could be minor tweaks to processes and policies, or the addition of a new tool.

7. Promote ongoing information security staff awareness

One of the key principles of ISO 27001 is that effective information security is everybody’s responsibility. Compliance should not be left to the IT department or managers. Anyone in the organisation that handles sensitive data plays a role in the organisation’s security. They must understand their obligations for protecting sensitive information and appreciate the stakes involved.