ISMS for ISO 27001

ISO 27001 defines requirements to establish and maintain an information security management system (ISMS) and information security risk management. This pertains to financial systems, intellectual property, personally identifiable information, third-party data, and other protected data.

Setting up an ISMS is the most important step of ISO 27001.

Let’s start with the basics.

What is an ISMS?

An information security management system. It is also the basis of ISO 27001 compliance. This organization management protects confidentiality, availability, and integrity of information by securing people, processes, and technologies.

1. Confidentiality

Information and systems are kept private and safe from unauthorized access (people, processes, or entities)

This aspect of the ISMS involves tangible controls like multi-factor authentication, security tokens, and data encryption. It may also involve special training for individuals with access to restricted or classified data.

2. Availability

Data and systems are accessible to authorized users

Availability typically requires the maintenance and monitoring of systems. From preventing bottlenecks and redundancy to assuring business continuity and upgrading software and hardware systems, the availability of data should prevent data loss and disaster recovery.

3. Integrity

Data is complete and accurate

Finally, the integrity of your data examines trustworthiness. Ideally, businesses limit access to confidential data to certain roles or processes. If you have limited access to your confidential data, the protection leads to ISMS integrity. Fewer people and processes touching your data means that there is a lower chance of error, and the data can be trusted.

ISMS is the overarching framework for auditors and the internal organization. An ISMS should describe the purpose of each company policy, and the scope of that policy. It acts as an application letter for ISO 27001 by defining exactly what requirements your company fulfills through policies, practices, and procedures.

Statement of Applicability

ISO 27001 asks businesses to include a Statement of Applicability (SoA) as part of the ISMS. Your SoA, like an ISMS, can be held in a Word document, PDF, or a variety of formats.

The statement should include:

List of ISO 27001 controls,
If the controls have been implemented or not,
The reason to include or exclude the controls,
and a description of control implementation

The SoA should be reviewed and updated at least annually. While the statement itself probably will not change drastically from year to year, the underlying information within your ISMS should. As your business grows, the information security policies protecting data will evolve and your SoA includes information on those changes.

Get compliant

Stay compliant

Compliance automation

Security audits

Integrations

Watch a demo of the platform

HealthTech

FinTech

SaaS

More industries

Some of the best money I ever spent. Thoropass
and being compliant ended up helping us close our second-largest customer.

SOC 1

SOC 2

ISO 27001

GDPR

PCI DSS

HIPAA

HITRUST

Other Frameworks

If my previous audits were offered to me for free,
I'd still pay for Thoropass.

Our advantage

Customer stories

Meet the experts

About

Careers

Partners

We provide the expertise—so you don't have to.

Blog

University

More resources

Events

Guides

Get 30% of the way to SOC 2 audit with our policy generator