← Glossary·Governance

ISMS (Information Security Management System)

ISO 27001

A documented, risk-based management system for information security — the object of ISO 27001 certification.

An Information Security Management System (ISMS) is a structured, risk-based management system covering people, processes, and technology used to manage information security. Clauses 4–10 of ISO 27001 define the mandatory management-system requirements (context, leadership, planning, support, operation, evaluation, improvement).

Why it matters
ISO 27001 certifies the management system, not individual controls. Auditors will fail a program with strong controls but no documented risk-treatment plan or management-review minutes.

Related terms

ISO/IEC 27001
International standard for an Information Security Management System (ISMS) with 93 Annex A controls.
ISO 27001 Annex A
The catalogue of 93 reference controls (2022 edition) across Organisational, People, Physical, and Technological themes.
Risk Assessment
Structured identification, analysis, and evaluation of risks to assets, processes, or data.
Statement of Applicability (SoA)
ISO 27001 document declaring which Annex A controls apply, why, and how — central artefact for certification.

Does your program actually cover ISMS (Information Security Management System)?

Run a free ComplianceIQ audit against ISO 27001 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free ISO 27001 auditBack to glossary