What is Information Security Management

An information security management system (ISMS) is a set of policies, procedures and processes for systematically managing an organization's sensitive and critical assets. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach or violation of a regulatory obligation. 


An ISMS typically addresses all risks to critical assets (including: employees, processes, data and technology). It can be targeted towards a particular type of data, such as customer data (which is done in traditional risk management), or it can be implemented in a comprehensive way that becomes part of the company's culture (done in enterprise risk management). 


When developing ISMS there is a massive amount of data used to compile a comprehensive program. However there are three common frameworks that form the bases of the ISMS:


International Standards Organization Document 27001 – Information Security Management (ISO 27001).


National Institute of Standards and Technology – Special Publication 800-37 – Risk Management Framework


           Committee of Sponsoring Organizations – Enterprise Risk Management Framework