chain with a string replacing one of the links representing weakness

What is an Information Security Management System (ISMS) and how does it relate to ISO 27001?

When I was first involved with information management standards almost 20 years ago, I used to get very confused with all the jargon and abbreviations auditors and consultants were throwing at me.  Management system standard, IMS, ISMS, ISO 27001, 27002, 27005, 27k, accreditation, certification, UKAS, IAF… they eventually all made sense but one that took slightly longer to fall into place is ISMS.

ISMS confused me because it seemed to mean different things to different people: to some people it seemed to mean a software application, to some it was synonym with ISO 27001 and to others it was synonym with some other information security standard!

This article is for you if:

  • you are new to information security and the world of information management standards
  • want to unpick the jargon
  • get a clear view of what ISMS means and how it relates to ISO 27001
  • want information to help decide whether you should implement an ISMS with ISO 27001
 

Reading time: 13 minutes

No time to read the whole article? Jump straight to the key takeaways at the bottom of the page.

What is an ISMS?

Firstly, before diving into describing what an ISMS is, I’d like to clarify what a Management System is.  The International Standards Organisation defines a management system as follows: 

A management system is the way in which an organization manages the interrelated parts of its business in order to achieve its objectives. 

In practice this means a management system is a set of agreed processes, policies and procedures used by an organisation to ensure it can improve and perform the tasks necessary to achieve its objectives.  The objectives could be in relation to its environmental performance, quality of products and services, occupational health and safety risks or information security risks. 

Consequently, an information security management system refers to a set agreed processes, policies and procedures which manage the risks to the security of its information and helps it achieve its objective of protecting that information. 

Management system standards, in addition to providing a blueprint for management systems, assume that in order for the organisation to achieve its objectives, it needs to improve.  They are therefore based on Deming’s Plan-Do-Check-Act model of continuous improvement:

Plan: Assess your risks, define roles and responsibilities and agree processes, policies and procedures that will help you achieve your objectives; 

Do:  Implement those processes, policies and procedures; 

Check: Define measures, monitor them and perform internal audits to see if the processes, policies and procedures are followed and are working as expected; 

Act: Based on the monitoring and internal audit results obtained in the previous step, make decisions to either maintain the processes, policies and procedures or amend them. 

Plan-Do-Check-Act Cycle Diagram

Why should you have an ISMS?

What is the ISO 27001 standard and how does it relate to an ISMS?

The very first sentence in BS EN ISO/IEC 27001:2017 (that’s the full official reference to ISO 27001 in the UK) is: “This International Standard has been prepared to provide the requirements for establishing, implementing, maintaining and continually improving an information security management system. 

 In other words, ISO 27001 is a “How-to” guide to having an ISMS. 

While there are quite a few types of ISMS, I have chosen to be an ISO 27001 consultant and so favours this international standard over others.  Why? Because it’s recognised internationally, applies to all types of information (digital and paper-based) and can be scaled in accordance with the needs of the organisation implementing it, regardless of its type or size.   The British Standards Institute have certified “one-manbands” all the way up to global organisations with tens of thousands of employees. 

Can ISO 27001 be implemented in a startup, small business or charity?

Yes. The standard doesn’t prescribe which procedure or technology you need to have and so wouldn’t expect a small organisation to invest large sums it cannot afford in complex technology.  Instead it expects that an information security management system implementation will be scaled in accordance with the needs of the organisation. 

Can we implement ISO 27001 on our own, without consultants?

In my experience, the world of international and British standards is baffling to non-initiated. It took me a good few years to understand everything auditors were telling me.  Auditors seem to speak a completely different language to the rest of us and often assume you understand. Combine that to the world of information security which is moving at the speed of light and encompasses vast amount of knowledge, and you have a recipe for confusion. 

In light of that, yes, it is entirely possible to implement ISO 27001 without consultants if: 

  1. You have enough technical knowledge internally to understand where the risks to information security are and how to go about minimising those risks; 
  2. You are prepared and have time to read on the topic of ISO 27001; 
  3. You have access to a comprehensive toolkit to get you started and guide you to certification. 

How to implement an ISMS using ISO 27001

The diagram below gives  you a high level overview of our 12-steps approach to implementing ISO 27001.  If you want more details, we have a separate article on this topic, please have a look at How to implement ISO 27001.

ISO 27001 ISMS 12 step implementation process

What are the ISO 27001 requirements?

In a management system standard, requirements are indicated by the word “shall”.  Anything that follows “shall” must be in place in order for a certificate to be given. For example, section 6.1.2 a) of ISO 27001 reads as follows:

ISO 27001 extract from Information security risk assessment 6.1.2

There are four requirements from this extract:

  • An information security risk assessment process must be defined
  • An information security risk assessment process must be applied
  • The process must establish and maintain criteria to guide decisions on which risks to accept
  • The process must establish and maintain criteria to guide decisions on when to perform a risk assessment


Overall, there are over 200 such requirements.  At a high level the key aspects they cover include the objectives of the ISMS, scope, roles and responsibilities, competence, communication and awareness, Information Security Policy, Risk Management Framework, documentation, performance evaluation and continuous improvement.

What is an information security policy?

The Cambridge Dictionary defines a policy as “a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government, or a political party”

In the context of ISO 27001’s ISMS, an Information Security Policy is therefore a plan that defines what to do to maintain the security (i.e. confidentiality, integrity & availability) of information, which has been agreed by an organisation. 

It generally contains the scope, objectives, a commitment to keep information in scope secure and a commitment to continuous improvement.  It has to be formally documented, be communicated within the organisation and be available to interested parties as appropriate (e.g. to customers).

How much does ISO 27001 cost?

There are four sources of costs to consider when assessing the budget required and putting a business case together.

If you are serious about ISO 27001, please buy the standard!

For some reason people will buy books on how to implement the standard and even commission consultants before they buy the standard itself. Don’t ask me why, I don’t know!

Will I need to invest in new technology?

This very much depends on what you currently have in place and the results of your risk assessment, but the quick answer is yes, you probably will need to invest in technology solutions.  

To help answer this question better, below is a diagram of the 14 categories of controls in Annex A which you have to consider.  It is not a requirement to implement them all, but if you choose not to, it is a requirement to justify why you don’t think they are necessary.  

Note that when making a decision on controls to implement, the relative costs and expected benefits of each control, considered both individually and in relation to other controls, should be taken into account. That’s why ISO 27001 is scalable and can apply to very small micro-businesses as well as large global organisations.

How long will it take to implement?

The certification process for ISO 27001 requires two audits to take place, 2-3 months apart. 

  • The first audit (Stage 1) verifies that the documentation you have put in place conforms to the standard to make sure all requirements are covered;  
  • The second audit (Stage 2) verifies that the controls are in place and working, policies and procedures are adhered to and ISMS activities are being tracked and implemented. 

 

Getting ready for the Stage 1 audit can take as little as 4-5 weeks if your organisation is small, have people with time and a good toolkit to start from.

However if you consider the lead time to choose a certification body and obtain a date from them, the time it will take to do your risk assessment and implement the controls, you will do exceptionally well to certify (i.e. pass the Stage 2 audit) in less than 6 months, even if you have consultants helping you. 

A more realistic timeframe is 6-12 months, or even 18-24 months if the scope is large and includes multiple locations and/or thousands of people.

What’s the difference between compliance and certification?

You may have heard the phrase “we comply with” or “we work in compliance with”.  I’ve often heard these phrases used, particularly in reference to BS 10008 (Evidential weight and legal admissibility of electronically stored information – see our blog on this standard if you want more information on it).   

They are often used in tender responses when the tender documents specify a certain standard is required but the respondent does not have external certification, i.e. cannot produce a certificate issued by a certification body. 

Certification by an external body is not necessary to comply with a Standard.  In fact, the vast majority of standards published by the British Standards Institute (BSI) do not have a formal certification scheme. Only a few do. Where there isn’t an official scheme, organisations self-certify. 

In summary, “we comply with” generally means an organisation has self-certified.  On the other hand, “we are certified” means an accredited external body has audited us and confirmed that we do indeed operate in compliance with a standard. 

Which one is best? While technically speaking there is nothing wrong with self-certification, in reality obtaining certification by an external body brings compliance to a completely different level.  It is all very well going through the implementation process, writing all the policies and procedures and rolling them out, but if no external body comes to scrutinise what you are doing, then it is very much like marking your own exam!  With all the best intentions in the world, the level of rigour just isn’t the same. 

How do I get ISO 27001 certification and why should I get certified?

In the vast majority of cases, organisations embark on the 27001 journey because customers are requesting a certificate.  Obtaining external certification or not is therefore not really an option.  In my opinion, external certification is extremely valuable. It brings compliance to a whole new level and is the engine for continuous improvement. There’s nothing quite like annual audits from an external body to align opinions, avoid complacency and speed up decision making.

You do however need to select a reputable certification body who are themselves accredited to ISO/IEC 17021-1 by the relevant authority.  Otherwise your certificate might not be accepted by clients and/or in tenders. In the UK that is the United Kingdom Accreditation Service which is itself a member of the International Accreditation Forum (IAF). The IAF has a list of similar bodies worldwide.

Key takeaways

An information security management system (ISMS) refers to a set agreed processes, policies and procedures which manage the risks to the security of an organisation’s information and helps it achieve its objective of protecting that information.

ISO 27001 is one type of ISMS.  It is a “How-to” guide to having an ISMS.  It’s an international standard widely recognised globally and can be scaled up to global organisations with thousands of employees; or down to one-man-bands.

Implementing an ISMS using ISO 27001 will allow you to sell to clients who demand certification, such as public bodies and large businesses.

Implementing ISO 27001 is likely to take between 9 and 24 months: depending on the size of the organisation, the level of standard and information security knowledge internally and whether external consultants are involved or not.

The cost of implementing an ISMS with ISO 27001 will likely come from the following sources:

  • Cost of certification
  • Cost of technical solutions you’ll need to mitigate your key information security risks
  • Cost of internal staff who will implement the ISMS and manage it on an on-going basis
  • Cost of external consultants and/or training courses for your staff.


Start with buying the standard and reading it.

Elisabeth Belisle

Elisabeth Belisle

Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.

Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.