An Information Security Management System (ISMS) is a set of policies concerned with Information security management (ISM). The key concept of ISMS is for an organisation to design, implement and maintain a coherent suite of processes and systems for effectively managing information accessibility, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks.
The best known ISMS is described in ISO/IEC 27000 - standards. ISO/IEC 27001 incorporates the typical "Plan-Do-Check-Act" (PDCA) Deming approach to continuous improvement:
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase's objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.