What is an Information Security Management System (ISMS), and just as importantly, what is it NOT?
An ISMS is the structure and implementation of a security strategy — the methods, processes and documented procedures that continuously improve security — not a piece of application software you install.
An ISMS is NOT an application (not a tool you buy); it IS the structure and implementation of a concept to ensure Information Security, IT Risk Management and IT Compliance. It defines the rules and methods to run business, information security and IT-risk management, and provides procedures to implement security, create concrete measures, monitor them, and continuously improve. Its goal is to constantly increase the security level of the entire organization and minimize IT risks. It rests on five principles: a risk-based approach, security by design, a security framework, IT compliance, and a security culture.
Go deeper:
ISO/IEC 27001 — Wikipedia — Das ISMS als Management-System (Struktur/Prozesse), nicht als Software; CIA-Schutz und risikobasierte Controls.