An information security management system (ISMS) is, as the name suggests, a set of policies concerned with information security management. The idiom arises primarily out of ISO/IEC 27001.

The key concept of ISMS is for an organisation to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimising information security risks.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organisation and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCA) Deming approach to continuous improvement:

Plan-Do-Check-Act

• The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
• The Do phase involves implementing and operating the controls.
• The Check phase's objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
• In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.

The best known ISMS is described in ISO/IEC 27001 and ISO/IEC 27002 and related standards published jointly by ISO and IEC.

ISO/IEC 27001, part of the growing ISO/IEC 27000 series of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 - Information technology—Security techniques—Information security management systems—Requirements but it is commonly known as "ISO 27001".

ISO 27001 essentially replaced and enhanced the content of BS7799-2 and harmonised it with other standards. A scheme has been introduced by various certification bodies for conversion from BS7799 certification to ISO27001 certification.

The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organisation's ISMS is influenced by their needs and objectives, security requirements, the process employed and the size and structure of the organisation".

ISO/IEC 27002 part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series' is an information security standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007, bringing it into line with the other ISO/IEC 27000-series standards. It is entitled Information technology - Security techniques - Code of practice for information security management. The current standard is a revision of the version first published by ISO/IEC in 2000, which was a word-for-word copy of the British Standard (BS) 7799-1:1999.

ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

the preservation of confidentiality (ensuring that information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information and processing methods) and availability (ensuring that authorised users have access to information and associated assets when required).

Outline of the standard

After the introductory sections, the standard contains the following twelve main sections:

1. Risk assessment
2. Security policy - management direction
3. Organisation of information security - governance of information security
4. Asset management - inventory and classification of information assets
5. Human resources security - security aspects for employees joining, moving and leaving an organisation
6. Physical and environmental security - protection of the computer facilities
7. Communications and operations management - management of technical security controls in systems and networks
8. Access control - restriction of access rights to networks, systems, applications, functions and data
9. Information systems acquisition, development and maintenance - building security into applications
10. Information security incident management - anticipating and responding appropriately to information security breaches
11. Business continuity management - protecting, maintaining and recovering business-critical processes and systems
12. Compliance - ensuring conformance with information security policies, standards, laws and regulations

Within each section, information security controls and their objectives are specified and outlined. The information security controls are generally regarded as best practice means of achieving those objectives. For each of the controls, implementation guidance is provided. Specific controls are not mandated since:

1. Each organisation is expected to undertake a structured information security risk assessment process to determine its specific requirements before selecting controls that are appropriate to its particular circumstances. The introduction section outlines a risk assessment process although there are more specific standards covering this area such as ISO/IEC 27005.
2. It is practically impossible to list all conceivable controls in a general purpose standard. Industry-specific implementation guidelines for ISO/IEC 27001 and '27002 are anticipated to give advice tailored to organisations in the telecomms, financial services, healthcare and other industries.