What does it mean when ISO 27001 references an ISMS? An ISMS stand for Information Security Management System. This essentially means that it is a programmatic structure that allows you to build a security framework and controls specific to and catered to your organization. Other words, this means it’s a specific process that selects customize security controls catered to the risk of your organization.
When done right, ISO 27001 is very different in approach and methodology from popular frameworks in the industry today such as PCI, HIPAA or NIST. In other words, common industry frameworks such as PCI, HIPAA, or NIST provides a catalog of security controls that you use to benchmark your organization against as a best practice. The ISO 27001 ISMS guides you through a series of steps and processes to build and select security controls that are appropriate and right sized for your organization.
The ISO 27001 Information Security Management System represents a holistic process that includes the series of core documentation that frames and scopes the organizational approach to security.
The ISO 27001 ISMS encourages an organization to document the people, process, technologies in scope for their ISMS. The ISO 27001 documentation provides the methodology, required documentation, and structure needed to select the correct security controls for your organization to mitigate actual and real security risks to people, process, and technology supporting your business.
When someone references and ISO 27001 ISMS it refers to all of the work and documentation that needs to be completed to build out the complete information security management standard and population of controls under management.