What is an ISMS and what process model does it use?
An ISMS (Information Security Management System) is a systematic framework for managing information security, typically following the PDCA (Plan-Do-Check-Act) cycle.
* The ISMS as a continuous PDCA loop — Plan → Do → Check → Act, then repeat. *
What an ISMS is:
An ISMS is a set of policies, processes, and controls that an organization establishes to systematically manage its information security risks. It's defined by ISO 27001 and includes:
- Risk assessment and treatment
- Security policies and objectives
- Organizational roles and responsibilities
- Controls implementation and monitoring
- Continuous improvement
The PDCA process model:
| Phase | Activity | Example |
|---|---|---|
| Plan | Assess risks, define objectives, select controls | Risk analysis, security policy creation |
| Do | Implement controls and processes | Deploy MFA, train staff, configure firewalls |
| Check | Monitor, audit, review effectiveness | Internal audits, incident analysis, KPI tracking |
| Act | Improve based on findings | Fix gaps, update policies, adapt to new threats |
Key point: An ISMS is not a one-time project — it's a continuous cycle. Security is never "done."
Tip: ISO 27001 certification audits specifically verify that your ISMS follows this cycle and demonstrates continuous improvement.
Go deeper:
Information Security Management System (Wikipedia DE) — Das ISMS als laufender Prozess samt deutscher Zertifizierungsvarianten.
Demingkreis / PDCA (Wikipedia DE) — Der Plan-Do-Check-Act-Zyklus, auf dem das ISMS als kontinuierlicher Verbesserungsprozess beruht.