What Is an ISMS? The ISO 27001 Information Security Management System

An ISMS — an information security management system — is the set of policies, processes, roles, and decisions an organization runs to manage information risk deliberately and improve it over time. ISO/IEC 27001:2022 specifies what a conforming ISMS must contain, and certification is what proves yours actually works.

What an ISMS actually is

An information security management system (ISMS) is the framework an organization uses to manage the confidentiality, integrity, and availability of its information — not as a one-off project, but as an ongoing, governed activity. It is the combination of policies, processes, defined roles, risk decisions, controls, and records that together make security a deliberate management discipline rather than a scattered set of technical fixes. ISO/IEC 27001:2022 is the international standard that specifies the requirements a conforming ISMS must meet, and against which an organization can be certified.

The key word is system. An ISMS is not a document, a tool, or a department — it is the way those pieces are organized to work together and reinforce each other. Leadership sets direction and assigns responsibility; a risk assessment identifies what could go wrong; controls reduce those risks; people operate the controls; and measurement and review feed back into the next cycle. Remove any one of those parts and you no longer have a management system; you have a collection of artifacts.

This is why ISO 27001 is described as a management-system standard rather than a control catalog. Its core requirements (clauses 4 to 10) are about how you run security as a system. The well-known catalog of controls — Annex A — supports that system but does not replace it. An organization can hold an impressive set of security tools and still lack a conforming ISMS, because the standard is asking a different question: not 'what controls do you have?' but 'how do you manage information risk, and how do you keep getting better at it?'

The management-system approach: clauses 4 to 10

The requirements an ISMS must satisfy live in clauses 4 through 10 of ISO/IEC 27001:2022, and they follow a deliberate sequence. Clause 4 (Context) asks you to define what the ISMS covers — your scope, the internal and external issues that affect it, and the interested parties whose needs it must meet. Clause 5 (Leadership) requires top management to own the system: to set an information security policy, assign roles and responsibilities, and demonstrate genuine commitment rather than delegating it and walking away. Clause 6 (Planning) is where you assess and treat information security risks, set objectives, and produce the Statement of Applicability. These three clauses together define and plan the system.

Clause 7 (Support) and clause 8 (Operation) are where the system runs. Support covers the resources, competence, awareness, communication, and documented information the ISMS needs to function; Operation requires you to actually carry out the risk treatment plan and operate the controls and processes you decided on. Clause 9 (Performance evaluation) closes the loop with monitoring, measurement, internal audit, and a formal management review, so leadership periodically examines whether the ISMS is effective. Clause 10 (Improvement) then requires you to act on what you found — correcting nonconformities and continually improving the system.

Read in order, clauses 4 to 10 map onto a continual-improvement cycle commonly described as Plan-Do-Check-Act (PDCA): plan the system and how to manage risk (clauses 4 to 6), do the work of supporting and operating it (7 to 8), check that it is working through audit and review (9), and act to fix and improve it (10). The 2022 edition does not prescribe 'PDCA' by name in its clauses, but the structure embodies that cycle — and the cycle is the point. An ISMS is never 'finished'; it is meant to turn continuously, getting more accurate and more effective with each pass.

Risk assessment: the engine of the system

What makes ISO 27001 adaptable to a two-person startup and a multinational alike is that it is risk-driven rather than prescriptive. The standard does not hand you a fixed list of controls to install. Instead, clause 6.1.2 requires you to establish and apply a repeatable process for assessing your information security risks, and clause 6.1.3 requires you to treat them — deciding, for each risk you act on, how you will modify, avoid, share, or retain it, and determining the controls that decision requires. Your risk assessment is therefore the engine that drives the rest of the system: it decides which controls you need and why.

This is also what gives an ISMS its proportionality. A small business with no on-premises servers and no software development will reach different, defensible conclusions than a SaaS provider hosting customer data — and both can conform, because both arrived at their controls through an honest assessment of their own risks rather than by copying someone else's. Risk owners must approve the treatment plan and accept the residual risk that remains, which puts accountability for those decisions where it belongs: with the business, not the IT team alone.

Because the environment changes, the assessment cannot be a one-time exercise. New systems, new suppliers, new types of data, and serious incidents can all change your risk picture, so a conforming ISMS revisits its risk assessment on a defined cycle and after significant change. (We cover the mechanics in a dedicated article on the ISO 27001 risk assessment.)

Annex A controls and the Statement of Applicability

Annex A of ISO/IEC 27001:2022 is the reference set of controls an ISMS draws on. The 2022 edition contains 93 controls grouped into four themes — Organizational (A.5, 37 controls), People (A.6, 8 controls), Physical (A.7, 14 controls), and Technological (A.8, 34 controls). This replaced the 2013 structure of 114 controls across 14 domains, so summaries written against the older layout are out of date. Crucially, Annex A is used as a completeness check: after your risk treatment determines the controls you need, you compare that set against Annex A to confirm you have not overlooked anything — not as a menu you shop from in isolation.

The document that records the result is the Statement of Applicability (SoA). Required by name in clause 6.1.3 d), the SoA lists every one of the 93 Annex A controls and states, for each, whether it applies to your organization, the justification for including or excluding it, and its implementation status. It is the single document that ties your assessed risks to the specific controls you operate, which is why an auditor typically opens it first. (Writing one well is the subject of our Statement of Applicability article.)

Together, the risk assessment, the treatment plan, the SoA, and the operating controls form a traceable chain: a risk leads to a treatment decision, which leads to a control, which is recorded in the SoA, and is then backed by evidence that the control actually runs. That traceability — risk to decision to control to proof — is the spine an auditor follows through your ISMS.

Why an ISMS is more than a folder of policies

It is tempting to think of ISO 27001 as a documentation exercise — assemble the right policies and you are done. You are not. Documentation is necessary, but the standard is explicit that an ISMS is something you operate: clause 8 requires you to carry out your risk treatment and run your controls, clause 7 requires the competence and awareness to do so, and clause 9 requires you to prove, through monitoring and internal audit, that it all works. A binder of perfect policies that no one follows is the textbook example of an ISMS that exists on paper but not in practice — and auditors are trained to find exactly that gap.

What turns documents into a management system is operation and evidence. An access-control policy is paper; the access reviews you actually perform and log are the ISMS working. A vendor-management policy is paper; the supplier assessments you actually complete are the system running. Records — logs, reviews, tickets, signed acknowledgments, internal audit reports, management-review minutes — are what demonstrate that the system is alive, and they are what an auditor samples for behind every applicable control.

That said, the documentation layer is real work, and starting it from a blank page is slow. This is where an editable toolkit earns its place. The ComplianceDocs ISO 27001 toolkits — the Core Policy Pack and the Complete Toolkit — provide the policies, a risk register, a pre-populated 93-control Statement of Applicability, and an audit evidence checklist as an editable starting point you adapt to your environment. They are honestly the documentation layer, not the management system: they speed readiness by removing the transcription and setup work, but the risk decisions, the operating controls, and the evidence that the ISMS actually runs are yours to supply and yours alone. No document set makes an organization compliant or certified.

Certification: proof that the system works

Certification is the external confirmation that your ISMS conforms to ISO/IEC 27001:2022 and is operating in practice. It is issued only by an accredited certification body — an independent organization assessed by a national accreditation authority — after that body audits your management system. No template, toolkit, consultant, or self-declaration can confer it; certification is earned by passing the audit.

The audit typically runs in two stages. Stage 1 is a documentation and readiness review, where the assessor checks that the required elements of the ISMS exist — scope, policy, risk assessment, treatment plan, SoA — and that you are ready for a deeper look. Stage 2 is the certification audit proper, where the assessor tests whether the system actually operates: they follow the SoA to a control, follow the control to its policy, and then ask for the records that prove the control runs day to day. Once certified, you are not finished — surveillance audits in the intervening years and a recertification audit (typically on a three-year cycle) confirm the ISMS keeps working and keeps improving.

This is why the management-system framing matters so much. Certification is not a verdict on your paperwork; it is a verdict on whether you genuinely run an ISMS. Get the system right — context, leadership, risk-driven controls, operation, evidence, and continual improvement — and the certificate follows from work you are already doing. (Any cost or time references in our ISO 27001 articles are illustrative estimates, not quotes; actual figures vary by organization, scope, and certification body.)

Frequently asked questions

What does ISMS stand for, and is it the same as ISO 27001?

ISMS stands for information security management system — the framework of policies, processes, roles, risk decisions, controls, and records an organization uses to manage information security as an ongoing discipline. ISO/IEC 27001:2022 is the international standard that specifies what a conforming ISMS must contain, but the ISMS is the actual system you operate, not the standard itself. In other words, ISO 27001 is the requirements document; your ISMS is what you build and run to meet them. You can hold an ISMS without certifying it, and certification simply confirms your ISMS meets the standard.

Does ISO 27001:2022 still use the Plan-Do-Check-Act (PDCA) cycle?

The 2022 edition does not prescribe PDCA by name in its normative clauses — that explicit model was dropped when the standard adopted the common Annex SL management-system structure. However, the clause structure still embodies a continual-improvement cycle that maps cleanly onto PDCA: plan the system and risk treatment (clauses 4 to 6), operate it (7 to 8), check it through monitoring and internal audit (9), and act to improve it (10). So PDCA remains a useful way to understand how an ISMS turns over time, even though the standard no longer names it. The important idea — that the system is never finished and improves each cycle — is fully present in clause 10.

How is an ISMS different from just having security tools and policies?

Security tools and policies are components; an ISMS is the management system that organizes them around assessed risk and keeps them working. The difference is operation and accountability: an ISMS requires leadership ownership, a risk assessment that drives which controls you need, evidence that controls actually run, and regular review that feeds improvement. A company can own strong tools and write good policies yet still lack a conforming ISMS, because no one assesses risk, operates the controls consistently, or checks effectiveness. ISO 27001 certifies the system, not the size of your toolset.

What is the role of the Statement of Applicability in an ISMS?

The Statement of Applicability (SoA) is the document that connects your risk decisions to your controls. Required by name in clause 6.1.3 d), it lists all 93 Annex A:2022 controls and records, for each, whether it applies, the justification for inclusion or exclusion, and its implementation status. It follows directly from your risk assessment and treatment plan, and it is usually the first document an auditor opens because it serves as an index into the rest of the ISMS. A complete, accurate, current SoA is one of the clearest signals that a management system is real rather than paper.

Can a toolkit or template make my organization ISO 27001 certified?

No. A toolkit can give you editable policies, a risk register, a pre-populated Statement of Applicability, and an evidence checklist, which removes the slow setup work and speeds readiness. But it cannot make the risk decisions, operate the controls, or generate the records that prove your ISMS actually runs — those must reflect your real environment and are yours to supply. ISO 27001 certification is issued only by an accredited certification body after it audits a working information security management system. A document set is the documentation layer; the certification, and the operating system behind it, remain yours to earn.

Related guides: ISO/IEC 27001

Toolkits that help

← All articles