BG Beter Geregeld ICT
Compliance · 2 min leestijd · 03 October 2025

What is an ISMS and where do you start?

Information Security Management System — it sounds bigger than it is. For an SMB, it's a set of documents and routines, not a platform you install somewhere.

ISMS = Information Security Management System. In essence: your way of working on information security, documented and maintained. It is not software. It is how you think and act.

\n\n

The five building blocks

\n
    \n
  1. Scope. What falls within your ISMS? The entire company, a specific business unit, only certain data? This is defined before you do anything else.
    2. \n
  2. Policy layer. 8–12 documents (security policy, access control, incident response, acceptable use, …). Around 40–80 pages in total.
    3. \n
  3. Risk management. A risk register covering risks, owner, measure, and residual risk. See risk management.
    4. \n
  4. Controls. The Annex A subset you implement. The Statement of Applicability (SoA) is your overview.
    5. \n
  5. PDCA cycle. Plan, Do, Check, Act. Sounds dramatic — in practice it means: reviews, audits, management review, lessons learned.
    6. \n
\n\n

Where do you start?

\n
    \n
  1. Define scope (1 day).
    2. \n
  2. Gap analysis against Annex A (1–3 days).
    3. \n
  3. Risk register, first version (2 days).
    4. \n
  4. Access control policy + A.9 (1 week through to evidence).
    5. \n
  5. Remaining policies (2–4 weeks, in parallel with gathering evidence).
    6. \n
\n\n

The pitfall: perfection

\n

Your ISMS does not need to be perfect. It needs to work and be demonstrable. Version 1 of your policies can be 80% there. Improvement is part of the PDCA cycle — it is entirely normal to update them every year.

\n\n

See also: ISO 27001 pillar, PDCA cycle explained.

Onderwerpen

#governance #iso-27001 #isms

Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores

Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

Compliance

ISO 27001 for SMBs without €50k in consultancy fees

ISO 27001 is manageable once you understand the structure. Here's the minimum work a 30-person SMB needs to pass a Stage 2 audit, what it costs, and where consultants actually add value.

2 min
Compliance

ISO 27001 costs: from initial gap analysis to certificate

A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.

2 min
Compliance

ISO 27001 or SOC 2? Which one fits your Dutch SMB?

ISO 27001 is Europe-oriented, SOC 2 is American. Which one do your clients actually need — and can you combine them? Here's the practical difference for an SMB.

2 min
Compliance

NEN 7510 for healthcare businesses: a step beyond ISO 27001

Do you work in or with healthcare? Then NEN 7510 — alongside or instead of ISO 27001 — is a real requirement. The overlap is significant; the differences lie in patient data and specific Annex controls.

2 min
Compliance

The management review: what goes in it and who takes part?

One of the clause-9 requirements of ISO 27001. Annual, with senior management, 2 hours. Here is the agenda that an auditor will accept — and that works as a practical exercise for you.

2 min
Compliance

The PDCA Cycle Explained for Managers

Plan-Do-Check-Act sounds bureaucratic. In practice it means: write down what you do, do it, check whether it works, adjust accordingly. Here's the shortest useful explanation.

2 min
← Alle artikelen in "Compliance"