The Information Security Management System represents a set of policies, procedures, and various other controls that set the information security rules in an organization.

Some of the most important elements of the ISMS include the following:
- identify stakeholders and their expectations of the company in terms of information security
- identify which risks exist for the information
- define controls (safeguards) and other mitigation methods to meet the identified expectations and handle risks
- set clear objectives on what needs to be achieved with information security
- implement all the controls and other risk treatment methods
- continuously measure if the implemented controls perform as expected
- make continuous improvements to make the whole ISMS work better