• VMC Issue Brief

    What is an ISMS?

    An Information Security Management System (ISMS) is a set of policies and procedures designed to improve management of critical security assets such as financial information, intellectual property, employee details, or confidential third-party data. An ISMS is implemented by an organization to improve security and manage risk associated with its information assets, regardless of how the information is stored or transmitted.

    The framework for an ISMS was first published by British Standards Institution (BSI) in 1999 and was adopted by the International Organization for Standards (ISO) in 2005. The standards established by these organizations focus on establishing and adhering to best practices for managing and protecting the confidentiality, integrity, and availability of an organization’s information and systems.

    Benefits of an ISMS:
    • Protects critical client information
    • Reduces costs through incident reduction
    • Simplifies compliance with relevant regulations
    • Mitigates risk through improved visibility
    • Ensures consistent access for authorized users
    • Promotes continual improvement
    • Eliminates accidental security breaches

    Why is an ISMS important?


    Information security breaches are increasing in frequency and severity across every industry, causing a range of negative impact for businesses, their employees, and their customers. The 2014 Cost of Cyber Crime Study, a global study of U.S.-based companies by Ponemon Institute, reported the average cost of cyber crime climbed by 9% to $12.7 million in 2014, while the average time to resolve a cyber attack rose to 45 days, a 40% increase over 2013.

    An ISMS defines the critical methodology for minimizing and eliminating security incidents, ensuring business continuity, protecting business investments and opportunities, reducing potential damages, and maintaining customer confidence. An effective ISMS provides a competitive advantage by maintaining a disciplined standard of management to ensure the safety of critical assets.

    Four Components of an ISO 27001 ISMS:
    • Identify information assets
    • Identify and address threats to those assets
    • Identify data and system vulnerabilities
    • Identify the impact of a breach in confidentiality, integrity, or availability

    Why VMC?


    Information security is an essential factor in every service VMC provides to our clients. VMC established its ISMS in 2011, obtained ISO/IEC 27001:2005 certification in 2013, and became one of only 566 U.S. companies to earn ISO/IEC 27001:2013 in 2014. To maximize quality and control, VMC is audited against the standard twice per year, once by our internal audit team and once by the
    certificate issuer, BSI.

    VMC cultivates a culture in which information security training and awareness is a part of our daily mindset. From the visible vocal commitment of VMC leadership to individual ownership and accountability of each project, every employee has a role and a responsibility in ensuring security and integrity of our clients’ information.

    Download the PDF »