The Cyber Academy take
An ISMS is the documented system you run to protect information assets, risk-based, evidence-backed, under management review. It is not a binder of policies. Auditors do not grade your policies; they grade your operating evidence. Plan-Do-Check-Act cycle, certified under ISO 27001, with the SoA as the central artefact.
What an ISMS actually is
An Information Security Management System is the operating system you run to protect information assets in a deliberate, repeatable way. The word that matters most is "system". It is not the security tooling, and it is not a folder of approved policies sitting on a shared drive. It is the set of processes, roles, decisions and records through which an organisation identifies what information it must protect, decides how much risk it is willing to accept, chooses controls to treat that risk, and then proves those controls are actually working over time. A policy says what should happen. An ISMS is the machinery that makes it happen and generates evidence that it did.
The defining characteristics are that it is risk-based and evidence-backed, and that it operates under management review. Risk-based means controls are not selected from a wish list but justified by a documented assessment of threats to specific assets. Evidence-backed means every control has artefacts behind it: access reviews that were performed, logs that were monitored, incidents that were handled, training that was delivered. Management review means leadership owns the system, sets its objectives, and periodically inspects whether it is meeting them. Remove any of those three and you have a security programme, not a management system.
Why auditors grade evidence, not policies
A common and expensive misunderstanding is that certification is about having good documentation. It is not. A certification auditor assumes you can write a competent access control policy. What they are there to verify is whether your operating reality matches what your documents claim. They will ask to see the last access review and check it was actually completed, sample tickets to confirm changes were authorised, and trace an incident from detection through to lessons learned. Pretty policies with no operating evidence behind them fail audits. This is why practitioners describe the ISMS as something you run, not something you write.
Plan-Do-Check-Act: how the system stays alive
An ISMS is built to improve continually rather than be perfected once. Most implementations follow the Plan-Do-Check-Act cycle, which keeps the system honest:
- Plan: establish the scope, assess risks, set security objectives, and select controls to treat the risks you have identified.
- Do: implement and operate those controls and the supporting processes day to day.
- Check: monitor, measure, audit internally and run management reviews to see whether the controls work and the objectives are being met.
- Act: correct what is failing, address the root causes of nonconformities, and feed improvements back into the next cycle.
That loop is what separates a living ISMS from a one-off compliance push. A risk register reviewed once a year and never touched again is not an ISMS in any meaningful sense, even if it produced a certificate at some point.
Where it sits among neighbouring concepts
The ISMS is the framework, certified under ISO/IEC 27001, the international standard that specifies the requirements a management system must meet. ISO/IEC 27001 is the certifiable requirements standard; companion guidance such as ISO/IEC 27005 supports the risk assessment and risk treatment work that feeds it. People often conflate the ISMS with the controls inside it, but the controls are inputs the system selects and operates. They are not the system. The discipline of the ISMS is precisely that it forces every control back to a risk and every risk back to a documented decision by people who are accountable for it.
Frequently asked questions
01Is an ISMS the same as ISO 27001?
Not quite. An ISMS is the management system itself: the processes and evidence you run to protect information. ISO/IEC 27001 is the standard that specifies what such a system must contain, and the framework against which an ISMS can be certified. You can operate an ISMS without certifying it, but certification means an accredited body has audited yours against ISO 27001.
02What is the Statement of Applicability and why does it matter so much?
The Statement of Applicability, or SoA, is the document that lists every reference control, says whether it applies to your organisation, and justifies each decision against your risk assessment. It is the central artefact of an ISMS because it links your risks to your controls, and auditors use it as the map for everything else they inspect.
03Do we need every control to certify?
No. Controls are selected based on your risk assessment, and exclusions are allowed as long as they are justified in the Statement of Applicability and do not undermine your ability to manage the risks within scope. The point is a defensible, risk-based selection, not maximum coverage for its own sake.
04How long does an ISMS take to set up?
It varies widely with scope, organisation size and how mature existing security practices already are. The bigger constraint is usually evidence: an ISMS needs controls that have been operating for long enough to produce records an auditor can sample, so even a well-prepared organisation needs an operating period before a certification audit is meaningful.
05Who owns the ISMS internally?
Accountability sits with top management, who must demonstrate leadership, set objectives and conduct management reviews. Day-to-day coordination is typically led by an information security manager or equivalent role, but ownership cannot be delegated away from leadership without breaking the management-review requirement at the heart of the standard.