Skip to content
360 Cyber Compliance

ISO 27001 · 1 July 2026

What is an ISMS? The heart of ISO/IEC 27001 explained

An Information Security Management System (ISMS) is the framework of policies, processes, people and technology that an organisation uses to keep its information safe. It sits at the very heart of ISO/IEC 27001:2022, the international standard for information security, and understanding it is the first step towards certification.

This guide explains what an ISMS is, what it contains, and how it works in practice.

An ISMS is a system, not a document

The most common misunderstanding is that an ISMS is a folder of policies. It isn’t. An ISMS is a management system — a structured, repeatable way of running information security so that risks are identified, treated and reviewed on an ongoing basis. Policies are part of it, but so are risk assessments, staff responsibilities, technical controls, monitoring and continual improvement.

Think of it the way you might think of a quality management system or a health-and-safety system. It is a living way of working, not a one-off project you complete and file away.

Why organisations build an ISMS

A well-run ISMS helps you to:

  • Protect confidentiality, integrity and availability of information — the three pillars of information security.
  • Manage risk deliberately rather than reacting after something goes wrong.
  • Win and keep contracts, as more clients and public-sector buyers now ask suppliers for ISO/IEC 27001 certification.
  • Demonstrate diligence to regulators, customers and partners.
  • Reduce the likelihood and impact of data breaches and disruption.

For software firms, care providers and other SMEs handling sensitive data, an ISMS turns “we take security seriously” into something you can evidence.

What an ISMS actually contains

ISO/IEC 27001 sets out the required elements. At a high level, an ISMS brings together the following components.

ComponentWhat it does
ScopeDefines which parts of the business, systems and information the ISMS covers
Information security policyThe top-level statement of intent, approved by leadership
Risk assessmentA structured method for identifying and evaluating information security risks
Risk treatment planHow each significant risk will be addressed
Statement of Applicability (SoA)Lists the Annex A controls, whether each applies, and why
ControlsThe safeguards you put in place, drawn from Annex A’s 93 controls
Roles and responsibilitiesWho owns and operates each part of the system
Monitoring and measurementHow you check the ISMS is working
Internal audit and management reviewRegular checks and leadership oversight
Continual improvementFixing weaknesses and adapting to change

You can explore several of these in more depth in our companion guides, including how to conduct a risk assessment and the Statement of Applicability explained.

The management system clauses (4 to 10)

The main body of ISO/IEC 27001 is organised into clauses. Clauses 4 to 10 describe the mandatory requirements for the ISMS itself:

  • Clause 4 — Context of the organisation: understanding your organisation, interested parties and the scope of the ISMS.
  • Clause 5 — Leadership: top management commitment, the security policy, and clear roles.
  • Clause 6 — Planning: risk assessment, risk treatment and setting security objectives.
  • Clause 7 — Support: resources, competence, awareness, communication and documented information.
  • Clause 8 — Operation: actually carrying out the risk treatment and running your controls.
  • Clause 9 — Performance evaluation: monitoring, internal audit and management review.
  • Clause 10 — Improvement: handling nonconformities and driving continual improvement.

These clauses are where certification auditors focus, because they show whether the ISMS is genuinely operating — not just written down.

Annex A: the controls toolbox

Alongside the management clauses sits Annex A, which lists 93 controls grouped into four themes: organisational, people, physical and technological. These are the practical safeguards — things like access control, secure development, supplier management and incident response — that you select to treat your risks. You don’t automatically implement all 93; you choose the ones relevant to your risks and record your reasoning in the SoA. Our guide on Annex A controls explained walks through each theme.

How the ISMS keeps improving: Plan-Do-Check-Act

An ISMS follows a continual improvement cycle, often described as Plan-Do-Check-Act:

  1. Plan — assess risks and decide how to treat them.
  2. Do — implement the controls and processes.
  3. Check — monitor, measure and audit whether they work.
  4. Act — correct problems and improve.

This cycle is what makes an ISMS resilient. Threats change, your business changes, and the system adapts rather than going stale.

How big does an ISMS need to be?

Right-sized. A ten-person software company and a multi-site care group will both have an ISMS, but the scale, complexity and documentation will differ. ISO/IEC 27001 is deliberately flexible: it tells you what must be in place, not how much paperwork to produce. A common mistake is over-engineering — creating dozens of policies nobody follows. A leaner, well-understood system usually performs better in an audit and in real life.

If your organisation is earlier in its journey, lighter-touch schemes such as Cyber Essentials or IASME Cyber Assurance can be a sensible stepping stone before full ISO/IEC 27001 certification.

Common terms explained

Information security has its own vocabulary — ISMS, SoA, risk treatment, nonconformity and more. If a term is unfamiliar, our glossary sets out the key definitions in plain English.

How we can help

Building an ISMS from scratch can feel daunting, but it doesn’t have to be. We offer practical support throughout — from defining your scope and running your first risk assessment to preparing for certification — through a transparent, fixed-fee engagement with a clear delivery process. A good starting point is our free ISO 27001 gap assessment tool, which shows where you stand today.

To talk it through, learn more about our ISO 27001 service or get in touch.

Need help in practice? See our ISO 27001 service.

Need a hand with this?

Book a free, no-obligation readiness check.