ISO/IEC 27001 – Information Security Management System (ISMS)
An ISMS is not just an IT policy but a governance system — risk-based, demonstrable, up to leadership responsibility.
This page is Regcytech’s own plain-language explanatory material. It is not the official text of the ISO standard, not legal advice, not a certification or audit opinion, and it does not replace buying the official standard or consulting an accredited certification body.
Executive summary
ISO/IEC 27001 is an international framework for managing information security at system level — an ISMS, an information security management system. The focus is not a single product or technology but a working practice: the company assesses which information assets are at risk, assigns proportionate protection, and maintains this continuously.
Companies engage with it because demonstrable information security practice is often a condition of a contract or a place on a supplier list, and because well-ordered evidence makes answering questionnaires and audits far easier.
In business terms, the ISMS helps organise cybersecurity so it is not only the IT team’s concern but a governance matter: risk-based, owner-bound, measurable and accountable up to leadership.
What does this standard help organise?
In plain terms: an ISMS typically helps clarify and keep in order questions like these.
- Which information assets (systems, data, devices) are important, and which are the riskiest.
- How risk assessment runs, and how proportionate safeguards connect to it.
- Who can access what, and whether that matches actual need (access management).
- What to do when a security event occurs — detection, response, lessons learned (incident management).
- How to handle the security risk of suppliers and providers.
- How backup, logging and change management work in daily life.
- How awareness and accountability are built across the organisation.
Typical documents and evidence
In a readiness project, documents and evidence like these typically come up. This is not an official requirement list — and we do not reproduce the control catalogue.
- Information security policy
- Scope and the set of protected systems / services
- Consideration of information assets
- Risk assessment and treatment plan
- Access management procedure and access review
- Incident management procedure and incident log
- Evidence of backup, logging, vulnerability and change management
- A register of security awareness training
- Supplier information security controls
- Internal audit evidence
- Management review material
- An improvement and action plan
Practical readiness questions
- Do we know which information assets are most important and riskiest?
- Do we have a real, owner-bound risk assessment — or only a describable one?
- Who accesses what, and do we review this regularly?
- What happens during an incident — is there a clear path, and do we keep the log even when there is no event?
- Are backups made, and have we tested restoration?
- Do we log enough that what happened can later be understood?
- Do we deliberately manage the security risk of our suppliers and providers?
- Does staff get regular security awareness training?
- Does leadership keep information-security risks on the agenda?
- Is our operation traceable, or only reconstructable from memory?
- Could we answer the questions of a CyberVadis or customer due diligence with evidence today?
- Do we know whether NIS2 or a similar digital-resilience expectation applies to us?
Common misunderstandings
- They treat the ISMS as merely an IT policy, not a governance system.
- They confuse the policy with actual operation — the document exists, practice does not follow.
- They do not maintain evidence, so at audit or questionnaire time there is nothing to show.
- They use generic templates without company-specific adaptation.
- Leadership is not involved — so risks carry no weight.
- Risk, objective and action are not connected.
- The incident log is only kept when something goes wrong — yet zero events should also be visible in a documented way.
Connection to other frameworks
A well-ordered ISMS can often be useful evidence for other assessments too. These can connect, but do not guarantee compliance.
- NIS2: risk-based operation, incident management and supplier security can support preparation — actual applicability and deadlines must be checked against an official source.
- CyberVadis: the policy, risk assessment, access management and technical controls can often be useful evidence.
- DORA-like digital-resilience expectations: backup, logging, incident and change management can connect — exact scope must always be examined separately.
- GDPR security side: a well-ordered ISMS can support data-protection security expectations (legal interpretation is a matter for legal counsel).
- Supplier and customer due diligence: demonstrable security practice can strengthen trust.
Recent and upcoming changes
The current basis of ISO/IEC 27001 is the 2022 edition, complemented by the 2024 climate-change amendment, which at a high level extends the examination of operating context and interested parties with this perspective.
The regulatory environment for information security also moves fast (for example EU cybersecurity and digital-resilience expectations). Specific scope and deadlines must always be checked against an official source, mapped to the given organisation’s profile.
Certifier transition and application questions must always be agreed with the given certification body and confirmed against official ISO/IAF communication. This page provides a readiness perspective, not a legal or certification guarantee.
How can Regcytech support you?
We work in an advisory, system-building role — not as a certifier. Typical support at the readiness level:
- a gap review between current practice and a working ISMS
- building a documentation and evidence system
- organising the risk-assessment and action logic
- support in drafting policy, procedures and accountability
- a management summary of key gaps and priorities
- a readiness roadmap
- support for CyberVadis and supplier security questionnaires
- preparation for later discussion with an accredited certification body
What Regcytech does not provide
Regcytech works in an advisory, system-building role. The compliance and certification boundaries are clear:
- We do not issue ISO certificates.
- We do not perform accredited certification audits.
- We do not provide a legal compliance guarantee.
- We do not replace the official standard.
- We do not replace the position of a certification body or a legal advisor.
Let’s see where your system stands
A short preliminary gap review maps what is already in place and where it is worth building a reusable evidence system — with no obligation.