In 2018:  Zygma completed 25 years of continuous independent operations;   Drafted and edited Kantara's NIST SP 800-63 rev.3 IAL2/AAL2 Service Assessment Criteria; Managed on behalf of a client the first SP 800-63 rev.3 service assessment - the service was the first to receive Kantara's "NIST 800-63 rev.3" Approval;   Performed three Kantara Service Assessments, each resulting in a Grant of Approval;   Transitioned to operating as an S-Corporation.      
   Home      Site map      About Us      Legal       Contact



ISO/IEC 27001

ISO 27001/05 Training

Kantara Support

Standards & Regulations




Curricula Vitae

ISO/IEC 27001 (ISMS)

BUY ISMS standards

ISMS Standards
Business benefits
Internal Control Systems
Specialized ISMSs
ISMS Skeleton

To other Zygma ISMS resources:
ISO and the ISMS Standards family
Questions You Should Ask

Zygma is a licensed re-seller of ISO/IEC 27001:2005 and ISO/IEC 27002(17799):2005 - ISO/IEC 27006:2007 will follow shortly. To purchase a copy of any of these standards, click here.


This page gives you a general introduction to what an ISMS is.  The acronym stands for 'Information Security Management System'.  If you'd prefer the text in PDF form, click here.

An ISMS is a management process which addresses an organization's information security, for the whole organization or a part of it, for single or multiple sites, as defined by the ISMS Scope.  The requirements for an ISMS enjoy global recognition and application, and are defined by international standards.

The notion of an Information Security Management System (ISMS) was first mooted during the development of British Standard BS 7799, which began in 1987.  Follow this link for a development history of ISMS standards.  The definition first given has changed little since, today being as follows:

"that part of the overall management system based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security" [ISO/IEC 27001:2005]

and 'information security' is defined as: "preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved" [ISO/IEC 27002(17799):2005].

Back to Top»»

ISMS standards

ISO Technical Committee 1 (Information Technology) Sub-Committee 27 (IT Security Techniques) is responsible for the drafting and publication of the ISO/IEC 27000 family of standards. The abbreviated reference of this group is ISO TC1 SC27, or frequently just 'SC27'.  ISO is responsible for publishing these standards.

SC27 is a formal standardization body supported by Technical Advisory Groups (TAGs) from ISO member countries (these are usually just referred to as 'National Bodies - NBs').  The US national body is the Inter-National Committee for Information Technology Standards (INCITS) Technical Committee for Cyber Security, CS1.  the Zygma partnership is a voting member of CS1 - Richard Wilsher is Zygma's principal representative.

CS1 reviews and votes on draft texts and resolutions, proposals for new work items etc. and submits its ballot results and review feedback into the appropriate SC27 forum.

To date ISO has published the following standards in the '27000' series:

ISO/IEC 27001:2005 "Information security management systems - Requirements";

ISO/IEC 27002(17799):2005 "Code of practice for information security management";

ISO/IEC 27006:2007 "Requirements for the accreditation of bodies providing certification of information security management systems". 

27001 is a normative document, defining a management system.  Organizations which conform to this standard may choose to have their ISMS formally certified.

27002 is an informative guidance document - it is purchasable as ISO/IEC 17799:2005 but has been officially assigned the reference 27002 by a corrigendum. The two documents are closely related in that 27001 requires (amongst other things) that all the controls set out in its Annex A are taken into consideration by the organization concerned and their manner of implementation justified in terms of the business. 27002 gives guidance on how to understand the intended scope ofthose controls and what to consider when implementing them.  Remember though that 27002 is just guidance - you neither have to address in your controls all that it suggests, nor be limited to what it suggests.  If after reading the guidance to understand the control's intended scope you feel you have a justifiable need for something else under that control, then add it.  27001 requires that you customize your ISMS to suit your business.

27006 describes the requirements which have to be satisfied by those organisations which wish to offer audit or assessment services for the purpose of granting formal certification of conformity ot an organization's ISMS.  This document will also be of interest to those having an ISMS, since it will help gain anunderstanding of the assessment process.

Additional information about these standards, and what an ISMS is, can be found in the list of 'Questions You Should Ask' about an ISMS, and the organisation and inter-relationships between the whole '2700x' family is described here.


Back to Top»»

Business benefits of an ISMS
Some people and organizations have a negative view of information security - they consider it to be a "grudge purchase". The reality is that, intelligently applied, information security is a business enabler.

Through careful consideration of the value that various forms of information have to a business, by considering the risks to that information, the degree of reliance which the business has on it and the resources which enable the business to access and apply that information, in considering the controls required to mitigate the perceived risks and in understanding the consequences upon the business of those risks becoming manifest, a business and its management can gain control of their information security.  How they manage their information security and the measures they implement should reflect the value and sensitivity of both the information and the information processing resources they have and need.

An ISMS is intended to provide the framework for the achievement of all that. It can help your business to:

S  establish and apply information security policies consistently and in a fashion which is relevant to the business goals and related risks;

S  ensure that controls in place are sufficient to mitigate risk to an acceptable level, and that the controls applied do so cost-effectively;

S  enhance management oversight with greater involvement and visibility of risk controls;

S  enhance the business' overall information security;

S  provide evidence of due diligence in the approach to regulatory (or other forms of) compliance and conformity;

S  convey greater assurance to stake-holders (management, investors, clients, ...);

S  reduce costs such as insurance premiums, reduced audit requirements (e.g. from clients seeking assurances);

S  limit exposure and therefore liability;

S  gain competitive advantage;

S  provide a forum for continual review and improvement of the processes involved.

Back to Top»»


Internal Control Systems
ISO/IEC 27001 is a specification for building, operating, maintaining and improving an ISMS.  However, the security (or assurance) of its information resources is not management's only concern.  They will have other interests and responsibilities which relate directly to the nature of the business they are in.  Therefore, an ISMS is just part of an organization's internal control system.  Management establishes an internal control system to marshal the organization's resources so as to best achieve their business objectives and manage the associated risks.  An ISMS can be regarded as that part of the internal management system (IMS) where information security/assurance is a concern.

Furthermore, the management principles which an ISMS relies upon can be applied to other aspects of the business, and the set of controls may also be extended to encompass other aspects of the IMS (although a certification would cover only the specific scope of ISO/IEC 27001 - nevertheless, the fact that the framework of the ISMS was certified would add confidence in its broader application).

The term information assurance is gradually taking over from the term information security, to emphasize the inclusion of integrity (i.e. the characteristic that information must be not be changed without authorization and be sufficiently right for the purpose for which it is used at the time it is used).

Back to Top»»

Specialized ISMS
The controls which are described in ISO/IEC 27002 are generic in the sense that they are not slanted towards any particular industry sector.  Nonetheless they are very extensive and cover all of the areas to which a business should give general consideration.  Some businesses will of course be subject to particular constraints or requirements, often imposed by external regulation, e.g. in the medical, health, financial, pharmaceutical sectors; equally a business may itself establish some very specific requirements.  In such cases there may be a need to add further controls to those set out in 27002 and further, included within the Statement of Applicability in ISO/IEC 27001: indeed, both standards actively encourage the inclusion of additional controls where these are felt to be necessary.

In recognizing this circumstance, Zygma has developed a model for building into an ISMS the ability to map its controls (or a sub-set of them) into other standards and regulations.  This is described in one of our white-papers, as is an in-depth mapping of the Health Insurance Portability and Accountability Act (HIPAA) security standards against the requirements of 27001.

Back to Top»»

ISMS Skeleton
Fast-track the development of your ISMS: take a look at our hyper-linked development tool, the Advanced Internal Management System, which is a fully-ISO/IEC 27001:2005 conformant support presenting a substantive body of proforma text for you to customize to suit your own ISMS.  In addition to the provision of baseline policies, asset list, risk treatment plans and a Statement of Applicability that is already partially complete, all the elements of the tool are hyper-linked internally, and where necessary to external documents, such that in development, use and when showing an auditor how you have configured and are operating your ISMS, everything is just a click away. This tool provides full support for the standard, including all the documentation and management review/records required by 27001. Using it can fast-track your ISMS development and your audits, quickly giving an external auditor the clear message that you've got yopur business' information security under control.

Some tools offer you help with '17799 (i.e. 27002, as here termed) conformance' - don't be misled; conformance against 27002 (or 17799) means nothing!  27002 is an informative code of practice - the conformity of your ISMS can only be assessed against ISO/IEC 27001:2005, which is the normative ISMS management standard which includes requirements for process and procedures, and not all tools give you that support.  Other tools give you lists and flat text, not a working document infrastructure.  Zygma's AIMS is a real proto-ISMS.

Back to Top»»

© 1993 - 2018   Zygma Incorporated     Telephone: +1 714 797 99 42      Email: Enquiries @    
All Zygma services are provided in accordance with its Ethics Policy.
Note - if you are submitting an enquiry or expect to receive email from us, please ensure that your spam filtering will accept mail from the domain ''