The plain-language version
Strip the acronym and an ISMS answers five questions on a loop: What information and systems matter, and who is responsible for them? What could realistically go wrong (threats, vulnerabilities, impacts)? What are we doing about each risk worth treating? How do we know the controls actually operate (evidence, monitoring, audits)? What changed this quarter, and did the system change with it? An organization that can answer those five with current documents and named owners has an ISMS, whatever they call it.
What an ISMS is not
- Not a policy folder. Policies are outputs of the system, not the system. Twenty templated policies with no risk assessment behind them is stationery.
- Not a tool. Compliance platforms, SIEMs, and scanners support an ISMS; none of them is one. The system is the decisions, accountabilities, and feedback loops the tools serve.
- Not the security team. In a functioning ISMS, engineering owns secure development, HR owns screening and offboarding, leadership owns risk acceptance. A security officer coordinating alone is a single point of failure the standard was designed to eliminate.
- Not a project. Projects end. An ISMS runs: risk assessments recur, access reviews recur, audits recur, and management review keeps leadership's hands on it.
Why customers ask about it by name
When an enterprise security questionnaire asks "do you operate an ISMS", it is asking whether your security is systematic or heroic. Heroic security (a talented engineer who cares) works until that person leaves, gets busy, or never hears about the new system going live. Systematic security survives personnel changes and growth because responsibilities, reviews, and evidence are structural. Certification is how you prove the difference to someone who cannot look inside.
The minimum honest starting point
List your ten most important information assets and who owns them. Write down the ten worst realistic things that could happen to them, scored for likelihood and impact. Decide, with leadership in the room, what you are doing about each. Diarize the re-check. That single page, maintained, is an embryonic ISMS, and every clause of ISO 27001 is a disciplined expansion of it.