Introducing a management system standard is ultimately a management decision. This is because, establishing ISO 27001 compliant operation requires a holistic approach. Nevertheless, the security procedures and controls do not necessarily need to cover all processes and assets of the organization. Management may decide to focus on selected aspects, perhaps setting up a management system to protect certain facilities or specific assets only. Thus, the very first step is to define the scope of the management system. The Information Security Management System (ISMS) represents a set of policies, procedures, and various other controls that set the information security rules in an organization.


Achieving compliance will start with a review of the current operation. The question is, whether the existing controls are adequate to protect all the necessary facilities and assets that the management decided to focus on. These questions are answered by the risk assessment, which is a systematic process. Since, detailed methodology is not defined by the standard, it will require some experience.

Setting up an ISMS is a formal process of identifying top management’s risk tolerance and establishing controls where required. Attaining compliance is not necessarily expensive, since most operating organizations may already have some or most of the crucial controls in place.

The standard necessitates embedding control of operation, monitoring, and improvement into a framework, which is called management system. It is composed of generic processes, like setting goals, training the workforce, carrying out internal audits or reviewing operation at the top management level.


Organizations do not necessarily have the expertise for setting up the management system. On the other hand, consultants are not familiar with the organization’s assets and processes. Therefore, the most effective way of providing compliance to the organization is by a close cooperation between the organization and the consultant.

Organizations will certainly benefit by implementing an ISO 27001 compliant management system. Moreover, an independent assessment of the management system by a certification body gives additional confidence in adequately protecting the organization’s information assets. An accredited certification gives the business a competitive advantage. Such a certificate may also be a customer requirement to win business.