An information security management system (ISMS) is a set of policies, procedures and processes for systematically managing an organization's sensitive and critical assets. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach or violation of a regulatory obligation.
An ISMS typically addresses all risks to critical assets (including: employees, processes, data and technology). It can be targeted towards a particular type of data, such as customer data (which is done in traditional risk management), or it can be implemented in a comprehensive way that becomes part of the company's culture (done in enterprise risk management).
When developing ISMS there is a massive amount of data used to compile a comprehensive program. However there are three common frameworks that form the bases of the ISMS:
International Standards Organization Document 27001 – Information Security Management (ISO 27001).
National Institute of Standards and Technology – Special Publication 800-37 – Risk Management Framework
Committee of Sponsoring Organizations – Enterprise Risk Management Framework