An ISMS (Information security Management System) enables an organization to systematically operate its management system for information security. By establishing the ISMS, the organization can determine the necessary security level, make up plans and distribute its assets based on its own risk assessment in addition to technical countermeasures against each individual issue.

The key concept of the ISMS is that an organization is to equally maintain and improve confidentiality, integrity, and availability of its information assets that should be protected by the organization. In particular, by measuring the effectiveness of controls implemented through risk assessment within the ISMS, the organization is able to improve its information security in a more efficient and effective way.  

There are a diversity of serious issues on information security: contents of webpages are altered by intruders, software such as computer viruses seriously damage information systems, information leaks from the persons concerned, etc. On the other hand, various countermeasures are supposed to be individually taken against each problem on each level. The key concept of information security management systems (ISMS) is that an organization is to equivalently maintain and improve confidentiality, integrity, and availability of its information assets that should be protected by the organization.