What overall approach does an ISMS take, and why is it described as never "finished"?
An ISMS follows a continuous-improvement (PDCA-style Plan-Do-Check-Act) cycle, treating information security as an ongoing program rather than a one-time project.
* The ISMS PDCA loop: Plan, Do, Check, Act — continuously raising the security level, never finished. *
The stated approach is the continuous improvement of information security — visualized as a PDCA loop (Plan → Do → Check → Act) spinning around the ISMS. Threats, regulations and the business change constantly, so controls must be re-assessed and refined on every turn of the cycle. This is why an ISMS is governance and process, not a product: you never "finish" securing an organization, you keep raising the level.
Go deeper:
PDCA (Plan-Do-Check-Act / Deming-Zyklus) — Wikipedia — Der iterative Verbesserungszyklus, der dem ISMS zugrunde liegt und das nie-fertig begründet.