What is a management system in the ISO 27000 sense?
A management system is a framework of resources (organisational structures, policies, planning activities, responsibilities, methods, processes) that an organisation uses systematically to reach its objectives.
The formal definition from DIN EN ISO/IEC 27000:2017, Kap. 3.2.5:
"A management system uses a framework of resources to achieve the organisation's objectives. The management system encompasses organisational structures, policies, planning activities, responsibilities, methods, procedures, processes and resources."
In plain terms a management system is the machinery for steering business processes, not the processes themselves. It:
- Steers day-to-day operations (Prozesse steuern).
- Structures processes so they're repeatable (Prozessstrukturierung).
- Optimises existing workflows over time.
Examples:
| Management system | Steers… |
|---|---|
| QMS (ISO 9001) | Quality of products/services |
| EMS (ISO 14001) | Environmental impact |
| ITSMS (ISO 20000) | IT service delivery |
| ISMS (ISO 27001) | Information security |
| RMS (ISO 31000) | Risk |
Tip: A management system is NOT the same as the things it manages. An ISMS is not a firewall — it's the framework that decides which firewalls you need, who maintains them, and how you measure that they work.
Go deeper:
ISO/IEC 27000 — Overview and vocabulary — the standard that formally defines a management system and frames the whole 27k series.
Information security management (ISMS) — how the generic management-system idea specialises into an ISMS.