ISO 27001 Information Security - Clause 4.4 Information Security Management System

ISO 27001 Clause 4.4 ISMS
ISO 27001 Clause 4.4 Information Security Management System

4 May 2022 - ISO 27001 Information Security in plain English - Blog post #4. This post discusses clause 4.4 in ISO 27001 which requires organizations to establish an ISMS (Information Security Management System), then to implement, maintain, and continuously improve it.


ISO 27001 Information Security in plain English

Information Security is becoming critical to every business, and there is a fast-growing trend towards developing management systems based on the ISO 27001 standard.  However, the subject and its terminology can certainly be a little daunting. So, we set out to cut through that in 'ISO 27001 Information Security in plain English' - a series of blogs articles that explains all clauses and controls in the standard.

4.4 Information Security Management System

In the previous posts in this series, we have looked at establishing the context of your organization, the needs and expectations of interested parties, and the scope of your ISMS. The next step is to put together an ISMS (Information Security Management System) to meet the established requirements.

While there is a general requirement in this clause for an ISMS to be established, it is not very specific in its requirements. However, it does reinforce the need for a systematic (rather than an ad hoc) approach to information security. The system needs to be put in place, maintained and continuously improved over time.

Any ISMS will include various elements, such as: People, Controls and Methodologies, Documents and Records, Hardware, Software and Infrastructure. Almost no organization is an island. So, virtually all systems will include some elements that are outsourced to others. That means at least some level of supplier management. Of course, the full ISMS will take shape once all requirements are known and the most suitable means to address them are considered.

ISO 27001 does not require any specific document to address this clause. Our preference is generally for the system to be summarised in an over-arching guidance document such as the ISMS Overview in ISO 27001 InfoSec Toolkit. The toolkit is one of 4 included in Qudos 3 IMS software.

if you haven't already done so, this would be a good point at which to perform a Gap Analysis. That is an exercise in establishing the applicability of various controls in the standard, and how the organization currently measures up to meeting those requirements. On day one, it is quite common for there to be many gaps but at least it creates a base point. From there, decisions can be made on how to address them in the ISMS.

The previous blog post in this series is ISO 27001 Clause 4.3 Scope.

The next blog in this series is on clause 5.1 Leadership and commitment.

About the series 'ISO 27001 Information Security in plain English'

This blog post is part of a series where we will work through all the clauses and controls in ISO 27001. A great starting point for developing your ISMS.

This blog series began with an introductory webinar. A copy of the slide deck is available for you here:

Qudos_ISO_27001 Information_Security_in_plain_English (PDF)

Click the LinkedIn Follow button below to receive notifications.

There's nothing like word of mouth to share creative content. So, if you found this blog useful, please share it with a colleague or business associate.


Ready to start your journey to ISO 27001?

Qudos 3 IMS software includes an ISMS Overview template along with a wide range of tools to help you develop and maintain your management system faster, better and smarter.

The first step to commencing a management system based on ISO 27001 is to conduct a Gap Analysis. We can provide a qualified, experience certification auditor to perform a professional Gap Analysis service for you.

Contact us today to discuss your needs!