What is an Information Security Management System?

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS to provide adequate security levels in order to protect assets against any related risks with a focus on preventing data breaches.

The core elements of an ISMS are security management, security planning, asset management, personnel management and awareness and training. ISO/IEC 27001:2013 also establishes requirements for the provision of supporting processes and services such as risk assessment; consulting and contracting; incident management; and business continuity.

What’s Included in ISO 27001?

It is a process approach to the security of information assets, rather than a product-oriented approach. Two components must be present for an ISMS to function properly: First, it is based on an ongoing defense in depth that provides adaptable and flexible security measures. Second, there must be plans to provide for continuity of business processes in the event of a disaster.

ISO/IEC 27001:2013 establishes standards for eight aspects of information security management:

1) Security policy

2) Organization of information security 

3) Planning Information Security 

4) Implementation and operation of information security 

5) Information security incident management 

6) Information security aspects of business continuity management 

7) Compliance 

8) Jargon buster

ISO 27001 Specifics

ISO/IEC 27001 compliance is intended to be used as an assessment and improvement model. It can also serve as a benchmarking tool, but does not replace external certification such as those provided by national accreditation bodies. It is not a substitute for other management standards, such as security controls required by ISO 27002 or health and safety obligations under OHSAS 18001.

The standard does not require that the ISMS be outsourced to external consultants or auditors since they will, in most cases, have no knowledge of the organization’s specific business requirements and processes. However, ISO/IEC 27001 does require that managers of the ISMS be properly trained to avoid insufficient management oversight and consequent non-compliance with changing organizational requirements.

A top-down approach is used for implementing an ISO/IEC 27001:2013 compliant ISMS, beginning with the senior management. A documented information security management system (ISMS) policy will be built from the top down, and then implemented in an organization’s day-to-day operations. 

Get Help With Sustainable Certification

Sustainable Certification makes it easy for every business-owner working in every industry to support their organisation with a globally-recognised certification. Find out more today at co@sustainablecertification.com.au.

The Process



We review your existing management systems in relation to requirements of the relevant standards for certification.


Stage 1 Audit

A review of your management system(s) documentation is undertaken as the first step in the certification process.


Certification Audit

The Certification Audit is conducted on site to verify that you have implemented the management system across your organisation.


Years 2 & 3: Certification Maintenance

We will conduct an annual Surveillance Audit to check the ongoing implementation of management systems across your organisation.

The Benefits

With the ISO 27001 standard, you can

Reduce risks: ISO 27001 identifies all risks to which your information may be exposed to and encourages you to minimize them.

Gain flexibility: The system applies control measures to either selected processes and areas of your business, or all of them, depending on your needs.

Enjoy increased trust: Since your vital data is protected, your stakeholders and customers trust your company more than ever before.

Guarantee: Strong business infrastructure inevitably translates into greater sustainability and progress. The shareholders feel confident about their investment and trust the officials to further their financial objectives.

Implement: The ISO 27001 certification ensures the company’s operations are benchmarked against industry leaders. This translates into higher compliance and control within the organization for augmented business benefits.

Respect & Reputation: Companies that have acquired the ISO 27001 certificate are considered as industry leaders. They are looked up to with respect and reverence, defining the plan of action for other companies.

Maintain a competitive advantage: The ISO 27001 certificate offers a competitive advantage to the company. Being considered as an industry leader,the certification can go a long way in attracting business and maximizing profits.