What is an ISMS and how do you demonstrate that it works?
An ISMS (Information Security Management System) is the coherent set of policies, processes, roles and controls with which an organisation manages information security in a structured way. It is not a folder of documents, but a working cycle: assessing risks, implementing controls, checking whether they work and adjusting where needed. ISO 27001 sets the requirements for an ISMS. You demonstrate that it works with evidence from day-to-day practice.
What does this mean in practice?
An ISMS links three things together: what you want to protect (information and systems), which risks they are exposed to, and which controls you put in place against them. The evidence that it works lies not in the policy itself, but in the execution: completed risk registers, granted and reviewed access rights, logging, and improvement actions that have been followed up.
How do you demonstrate that it works? (PDCA)
The engine behind an ISMS is the PDCA cycle: Plan, Do, Check, Act. You plan controls based on risk, implement them, check through measurements and internal audits whether they work, and adjust accordingly. That cycle — repeated and recorded — is the evidence that it works.
Real-world example
An organisation determines that lost laptops are a risk (Plan: control = disk encryption). IT rolls out encryption (Do). During the internal audit, 3% of the laptops turn out to be unencrypted (Check). These are corrected and the roll-out procedure is tightened (Act). The audit trail of these four steps is exactly what an ISO 27001 auditor wants to see.
Common mistake
The biggest mistake: setting up an ISMS as a one-off project and then letting it grind to a halt. Without repeated measurements, audits and adjustments, the evidence fades and you will be caught out at the first serious assessment. An ISMS maturity assessment shows whether your cycle is genuinely running.
ISO/IEC 27001 — official standard page (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search features alike.
An ISMS is the management system itself: your policies, processes and controls for information security. ISO 27001 is the international standard that sets requirements for such an ISMS. You can have an ISMS without certification, but for ISO 27001 certification your ISMS must demonstrably meet the standard and work in practice.
An ISMS scales with the organisation and its risks. A small business has a more compact ISMS than a multinational, but the core elements are the same: scope, risk assessment, controls, internal audit, management review and improvement. The standard calls for proportionality, not bureaucracy.
Evidence that it works includes an up-to-date risk register, a substantiated Statement of Applicability, logging and access reviews, completed internal audits, minutes of the management review and recorded improvement actions with follow-up. It is about traces from day-to-day practice, not just policy documents.
Want to know whether you are audit-ready?
Schedule a no-obligation audit scan and find out, in a single conversation, where you stand and what the next step is.
