What is an ISMS and why does it matter?

An Information Security Management System (ISMS) is a structured framework of policies, procedures, and controls that governs how an organization protects information. Required by ISO 27001, an ISMS typically includes 20-30 policies covering areas like access control, incident management, and asset handling. It matters because certification increasingly influences vendor selection, especially in regulated industries.

How do ISMS policies affect day-to-day employees?

ISMS policies set the rules for how employees handle data, manage access, use devices, and respond to incidents. For example, an acceptable use policy governs what you can do on company devices, while a data classification policy dictates how you label and share documents. Most employees interact with 5-8 ISMS policies regularly without realizing it.

ISMS Policy Awareness

Connect ISO 27001 policies to your daily work.

What You'll Learn

Explain the purpose of an ISMS and how ISO 27001 organizes security policies into a structured management framework
Match common ISMS policy requirements to specific daily work scenarios like data handling, access requests, and device management
Follow the correct procedure for reporting security weaknesses and incidents as defined by your ISMS incident management policy
Apply access control policies when processing requests for information from internal teams and external partners
Identify your personal responsibilities within the ISMS framework, including policy acknowledgment, asset handling, and compliance documentation

Training Steps

Welcome to Quantum Dynamics

Welcome to Quantum Dynamics! You are Alice, a project coordinator who manages client deliverables and team schedules. Today marks the start of your annual ISMS awareness training - a requirement for ISO 27001 certification. Every employee must understand how the Information Security Management System protects both the company and its clients.
What Is an ISMS?

An Information Security Management System (ISMS) is a systematic approach to managing sensitive information. It includes: Policies - Rules that govern how information is handled Processes - Procedures for implementing security controls People - Training and awareness for all employees Technology - Tools that enforce security measures ISO 27001 is the international standard for ISMS. Certification demonstrates to clients and regulators that Quantum Dynamics takes security seriously.
Your Annual ISMS Training

Alice receives an email from the Information Security team about the mandatory annual training. All employees must complete this to maintain access to company systems.
Accessing the ISMS Portal

Alice clicks the link to access the ISMS Portal. This centralized system contains all security policies, training materials, and compliance tracking.
The ISMS Framework

The ISMS Portal displays the key policy domains that every Quantum Dynamics employee must understand: Information Classification - How to categorize and handle data Access Control - Managing who can access what Asset Management - Protecting company equipment and data Incident Management - Responding to security events Business Continuity - Ensuring operations during disruptions
Information Classification

The first policy area covers how information must be classified and handled: Classification Levels: Public - Marketing materials, press releases Internal - Org charts, general procedures Confidential - Client data, financial records, contracts Restricted - Trade secrets, cryptographic keys, security credentials Your Responsibilities: Label documents with their classification level Never share confidential information via unencrypted channels Verify recipient need-to-know before sharing
Access Control Principles

Access control ensures the right people have the right access at the right time: Principle of Least Privilege: Only request access to systems you need for your job. If you change roles, access should be reviewed. Your Responsibilities: Use unique, strong passwords for each system Enable multi-factor authentication where available Lock your workstation when stepping away Never share credentials or use someone else's account Report suspicious access attempts immediately
Asset Management

Company assets - both physical and digital - must be protected: Physical Assets: Laptops and mobile devices must be encrypted Report lost or stolen equipment within 24 hours Don't leave devices unattended in public places Return equipment when leaving the company Digital Assets: Use only approved software and cloud services Don't store company data on personal devices Follow data retention schedules Securely dispose of data when no longer needed
Incident Management

Security incidents must be reported promptly to minimize damage: What to Report: Suspicious emails, calls, or messages Lost or stolen devices Unauthorized access attempts Malware or unusual system behavior Accidental data exposure Physical security breaches How to Report: Use the ISMS Portal incident form or call the Security Hotline at ext. 5000. Non-Retaliation Policy: You will never be punished for reporting a security concern in good faith, even if it turns out to be a false alarm.
Business Continuity

The ISMS includes plans for maintaining operations during disruptions: Your Role in Continuity: Know your department's critical functions Understand backup procedures for your work Keep emergency contact information updated Participate in continuity exercises when scheduled Remote Work Security: Use VPN for all company network access Secure your home network with strong passwords Don't discuss confidential matters in public spaces Follow the same security practices as in the office

What You'll Learn

Training Steps

Welcome to Quantum Dynamics

What Is an ISMS?

Your Annual ISMS Training

Accessing the ISMS Portal

The ISMS Framework

Information Classification

Access Control Principles

Asset Management

Incident Management

Business Continuity