Information security management system

An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:

ISO/IEC 27001:2005 is a risk-based information security standard, which means that organizations need to have a risk management process in place. The risk management process fits into the PDCA model given above.

However, the latest standard, ISO/IEC 27001:2013, does not emphasise the Deming cycle anymore. The ISMS user is free to use any management process (improvement) approach like PDCA or Six Sigmas DMAIC.

Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best practice-based as it comes from ISF's industry experiences.

Yet another competing ISMS is The Open Group's "Open Information Security Maturity Model" (O-ISM3). It is more Scientific method-based.

Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.

...
Wikipedia