4 min

Introduction to Information Security Management System ISMS

Posted by: Mr. Nur Kamal Kamari Date: 28 Jul 2023


Technology has opened infinite opportunities for humanity but has also exposed us to risks. Nowadays, businesses heavily rely on technology, but they are also vulnerable to cyber-attacks. To maintain a secure and efficient environment, companies must ensure that policies, processes, systems, and stakeholders work together to minimise risks. A framework like Information Security Management System (ISMS) is crucial in providing structure for tasks - what, how, when, and where they should be done. ISMS plays a vital role in safeguarding organisations in this digital era.


An Information Security Management System (ISMS) encompasses policies and controls that systematically handle a company’s information security and associated risks. These security measures can conform to mainstream standards or be tailored to specific industries. ISMS primarily focuses on risk assessment and management, offering a standardised framework that can be customised to suit the needs of the organisation and the industry at large. While frameworks establish smooth implementation and adherence to organisational practices, the ever-changing landscape of technology demands continuous adaptation. In this regard, ISMS excels, as its framework allows for ongoing enhancements to address the dynamic nature of the evolving environment, facilitated by its Plan-Do-Check-Act model.


ISO 27001 is the leading framework in information security, offering a set of standards and guidelines that establish best practices and procedures for an Information Security Management System (ISMS). Its primary objective is to ensure businesses effectively safeguard their most valuable asset, information, in a systematic and within tolerable risk levels. ISO 27001 allows organisations to adopt practices tailored to their information systems while adhering to key requirements, including the implementation of specified controls.

The framework's Annex A comprises 4 themes with 93 controls to enhance information security, process management, people management, and meet legal requirements. Not all controls are universally applicable, and firms adopting ISO 27001 should selectively adopt and implement controls aligned with their specific security needs and requirements.

Upon adopting the ISO 27001 framework, organisations must fulfil mandatory requirements and documentation, such as defining the scope of the ISMS, establishing an information security policy and objectives, developing a risk treatment plan, and preparing a risk assessment report as outlined in the framework's clauses and sub-clauses. The framework also emphasises the importance of maintaining specific records, including an internal audit program, management review results, and internal audit findings.

To ensure the ongoing maintenance of the ISMS, companies are encouraged to pursue ISO 27001 certification, which attests to the proper implementation and maintenance of the security system. Complying with the standard's requirements is essential for establishing a seamless and robust system infrastructure.


Despite the undeniable importance of security systems and risk mitigation, some organisations hesitate to adopt ISO 27001-compliant ISMS due to financial constraints and decision-making hurdles. Core challenges hindering implementation include:

  • Convincing the Board: Proposals presented to senior leadership often fail to convey the criticality of ISMS implementation effectively. Emphasising the significance of an ISMS to the Board, particularly in the face of cyber-attacks, is crucial. Highlighting specific, business-related benefits becomes essential.
  • Budget and Financial Costs: Implementation of an ISMS includes compliance with standards, certain documentation, training of personnel, and business process configurations. All of these add up to a hefty sum. It is crucial to convey to the Board and decision-makers that these costs are fully justified. An ISMS protects vital information, preventing potential financial, reputational, legal, and business losses that can far exceed the expenses associated with ISO 27001-compliant ISMS implementation.
  • Getting the Right Talent: To maintain the effectiveness of the ISMS, it is important to deploy the right people who can ensure ISMS is implemented effectively.

TRANSITION FROM ISO/IEC 27001:2013 TO ISO/IEC 27001:2022

After the last version in 2013, the information security management system standard ISO/IEC 27001 got a new version in 2022 that focuses on addressing the modern issues that businesses face today.

Major changes have taken place in Annex A, including cyber security and privacy concerns, as well as refreshing the control language and the addition of new recommendations. There have been 11 new controls, 58 updated and 24 merged ones that have come into effect with the latest version of ISO/IEC 27001 standard revision.

Key areas of change are as follows:

  1. The emergence of new digital technologies like automation
  2. Enhanced adoption of such technologies
  3. Recognising security and privacy threats
  4. Recognising the presence of advanced ransomware and malware
  5. Aligning with other practices to ensure holistic security

Through these changes, many dimensions have been affected, which include the IT function, corporate security and leadership management.

The new version of ISO/IEC 27001 came into effect on October 25, 2022, and has a transition timeline of three years, implying that the 2013 certificates need to be transitioned into 2022 certificates latest by October 2025.


In today's data-driven world, an ISMS framework compliant with ISO 27001 is essential for businesses. With vital information stored in network infrastructure, ISMS ensures the effectiveness and efficiency of an organisation’s business processes, safeguarding its data and facilitating income generation. Implementing an ISMS framework has become a prerequisite for businesses to thrive in the contemporary landscape.

Learn more about ISO 27001 ISMS here, and our training services: