← Patterns / SP-018

Information Security Management System

Context

An Information Security Management System is the management capability that turns isolated controls into a governed, measurable, continuously improving security programme — the operating system of the security function. SP-018 is the OSA catalogue umbrella: it describes the management capability itself, while operational controls live in sibling patterns. Three forces have changed the ISMS conversation since 2024: NIS2 and DORA make the management body personally accountable and require board-level training; NIST CSF 2.0 elevated Govern to a first-class function; continuous-compliance tooling has shifted evidence from periodic to contemporaneous. Most in-scope organisations report against three to six frameworks simultaneously, and multi-framework drift is a leading source of audit findings.

Summary

An ISMS is one process repeated in a loop: identify what matters, assess the risk to it, decide what level of risk you will accept, select controls proportionate to the risk, operate them, measure whether they are working, correct what isn't, improve the methodology each turn. Plan-Do-Check-Act is the canonical name. The management body owns the loop; the ISMS lead operates it; control and asset owners implement it in their domain. What it produces — and what justifies the overhead — is defensible evidence. Regulators (NIS2, DORA, sector authorities), certification bodies (ISO 27001, BSI Grundschutz, SOC 2), customers and insurers all increasingly demand contemporaneous, traceable, documented proof that security is being managed. One artefact set answers all of them: risk register · control-applicability artefact · plan of action and milestones · audit findings · management-review decisions. The ISMS is what produces this. The certifications are what acknowledge it.

Key principles

Three principles cut across all seven Key Control Areas. Risk drives controls, not the reverse — controls are selected because of risk, and the choice is documented in a control-applicability artefact (SoA for ISO, Current/Target Profile for CSF, Modellierung for BSI). The management body is responsible and accountable — in NIS2 and DORA jurisdictions, members may be personally liable; mandatory training is non-optional. Documented information is the evidence pipeline — what is not documented does not exist for assurance; tooling choice belongs to the implementer.
Release: 26.06.2 Authors: Aurelius, Vitruvius Updated: 2026-05-14
Assess
ATT&CK This pattern addresses 221 techniques across 13 tactics View on ATT&CK Matrix →
SP-018 INFORMATION SECURITY MANAGEMENT SYSTEM ISO 27001:2022 · ISO 27002:2022 · NIST CSF 2.0 · NIST 800-53 Rev 5 · BSI IT-Grundschutz · NIS2 · DORA · ISO 42001 36 Controls · 12 Threats MANAGEMENT BODY accountable · approves · trained ISMS LEAD operates the management system CONTROL OR ASSET OWNER implements · reports · closes findings KEY PRINCIPLES cross-cutting · every KCA Risk drives controls, not the reverse SoA · CSF Profile · BSI Modellierung documents the choice Management body is responsible & accountable NIS2 Art. 20 · DORA Art. 5 · mandatory training (Art. 20(2) / 5(4)) Documented information = evidence pipeline ISO Cl. 7.5 · continuous-compliance tooling optional ISMS MANAGEMENT CYCLE · PDCA PLAN Establish the management system 1. Context, Scope & Stakeholders Mission · Scope · AI / OT inclusion ISO 4.1-4.3 · CSF GV.OC PM-11 — Mission and Business Process Definition · Identifies the mission and business processes the organisation supports; anchors ISMS scope.PM-11 RA-03 — Risk Assessment · Conducts the risk assessment using the established methodology; produces the risk register.RA-03 RA-09 — Criticality Analysis · Identifies critical system components and functions; informs prioritisation.RA-09 PL-10 — Baseline Selection · Structured selection of a control baseline from a catalogue (e.g., NIST low/moderate/high).PL-10 T-IS-012 — Shadow AI usage outside ISMS scope expanding the attack surface faster than the management system can adaptT-IS-012 2. Leadership & Management Body Top-mgmt commitment · Roles · Culture ISO 5.1 · CSF GV.RR · NIS2 Art. 20 · DORA Art. 5 PM-01 — Information Security Program Plan · The organisation-wide programme document: scope, roles, resources, performance measures, lifecycle.PM-01 PM-02 — Senior Information Security Officer · Named accountable officer for the security programme — the ISMS lead role.PM-02 PM-29 — Risk Management Program Leadership · Senior-leadership accountability for the risk-management programme.PM-29 PS-09 — Position Descriptions · Incorporates security and privacy responsibilities into role definitions.PS-09 T-IS-015 — Management body insufficient training or competence to discharge ISMS accountability under NIS2 and DORAT-IS-015 3. Policy Framework Top-level & topic policies · Compliance ISO 5.2 + A.5.1 · CSF GV.PO PL-01 — Security Planning Policy and Procedures · Top-level planning policy; governs the security plan lifecycle and the family policy structure.PL-01 PL-04 — Rules of Behavior · Documented expectations for users' security-relevant behaviour, signed before access.PL-04 AT-01 — Awareness and Training Policy and Procedures · Establishes the awareness-and-training programme: scope, roles, frequency, review and enforcement.AT-01 PS-01 — Personnel Security Policy and Procedures · Establishes the personnel-security policy: screening, T&Cs, transfer, termination.PS-01 T-IS-007 — Policy non-compliance by personnel due to weak awareness, training or enforcementT-IS-007 4. Risk Management & Treatment Methodology · Appetite · Treatment ISO 6.1, 8.2-3 · CSF GV.RM · BSI 200-3 RA-01 — Risk Assessment Policy and Procedures · Establishes the risk-assessment methodology, criteria and cadence.RA-01 RA-07 — Risk Response · Decides the response to each identified risk: mitigate, accept, transfer, avoid.RA-07 PM-09 — Risk Management Strategy · The documented risk strategy: methodology, appetite, tolerance, treatment options.PM-09 CA-05 — Plan of Action and Milestones · Tracks remediation of findings with owner, target date and status; closes the corrective-action loop.CA-05 T-IS-001 — Governance failure where security decisions are made without structured risk assessmentT-IS-001 DO Implement & operate 5. Resources, Competence & Documented Information Budget · Training · Documented information lifecycle ISO Cl. 7.1-7.5 · CSF GV.RR-03 PM-03 — Information Security and Privacy Resources · Resourcing requirements for the security and privacy programme, included in capital planning.PM-03 PM-13 — Security and Privacy Workforce · Workforce planning to ensure adequate competence is available for security and privacy roles.PM-13 AT-02 — Security Awareness Training · Universal awareness training covering policy, threats, individual responsibilities and reporting channels.AT-02 AT-03 — Role-Based Training · Role-specific training for personnel with significant security responsibilities.AT-03 PL-02 — System Security Plan · Documents each system's controls, responsibilities and authorisation status.PL-02 AU-01 — Audit and Accountability Policy and Procedures · Governs what is logged, how trails are protected, who can access them, retention.AU-01 SA-02 — Allocation of Resources · Determines resource requirements and includes security in capital planning.SA-02 IR-01 — Incident Response Policy and Procedures · Establishes IR policy and authority; operational runbooks live in SP-036.IR-01 T-IS-008 — Knowledge loss and undocumented security processes when expertise leaves the organisation · T-IS-013 — Cyber-insurance evidence failure leading to coverage exclusions, claim denial or premium escalationT-IS-008 / 013 6. Supplier & Third-Party Governance Programme · Register · Due diligence · Concentration risk ISO A.5.19-23 · CSF GV.SC · NIS2 21(2)(d) · DORA 28-30 SR-01 — Supply Chain Risk Management Policy and Procedures · Establishes the supply-chain risk-management policy and programme.SR-01 SR-02 — Supply Chain Risk Management Plan · Documents the supply-chain risk-management plan covering due diligence, monitoring, exit.SR-02 SR-03 — Supply Chain Controls and Processes · Operational controls and processes for the supply chain throughout the SDLC.SR-03 CA-03 — Information Exchange · Governs security of system interconnections and information exchanges with external systems.CA-03 T-IS-009 — Third-party and supply chain security gaps creating inherited and concentration risk · T-IS-011 — Concentration risk in shared GRC platforms and audit firms creating sector-level exposureT-IS-009 / 011 ACT Improve · correct · learn Improvement & corrective action Nonconformity · POA&M closure · Management-review decisions · Lessons learned ISO Cl. 10.1-10.2 · CSF ID.IM · DORA Art. 13 CA-05 — Plan of Action and Milestones · Tracks remediation of findings with owner, target date and status; closes the corrective-action loop.CA-05 RA-07 — Risk Response · Decides the response to each identified risk: mitigate, accept, transfer, avoid.RA-07 T-IS-004 — Control degradation and operational drift where implemented controls silently lose effectivenessT-IS-004 Multi-framework alignment (single internal control set) ISO 27001 · SOC 2 · NIS2 · DORA · ISO 42001 · thin overlays, not parallel sets PL-09 — Central Management · Unified management of selected controls across the organisation; underpins single-control-set discipline.PL-09 PL-01 — Security Planning Policy and Procedures · Top-level planning policy; governs the security plan lifecycle and the family policy structure.PL-01 T-IS-014 — Multi-framework drift where ISO 27001, SOC 2, NIS2, DORA and ISO 42001 control sets diverge over timeT-IS-014 CHECK Evaluate · audit · review Performance evaluation Continuous monitoring strategy · Metrics · Telemetry · KPIs ISO Cl. 9.1 · CSF DE.CM · NIST PM-31 CA-07 — Continuous Monitoring · Ongoing monitoring of control effectiveness, configuration changes and risk posture.CA-07 PM-31 — Continuous Monitoring Strategy · Documented telemetry roadmap: what is monitored, at what cadence, with what tolerances.PM-31 PM-06 — Measures of Performance · Programme performance metrics used to monitor and improve the ISMS.PM-06 T-IS-003 — Undetected security incidents persisting in the environment due to absent or weak monitoring capability · T-IS-013 — Cyber-insurance evidence failure leading to coverage exclusions, claim denial or premium escalationT-IS-003 / 013 Internal audit & management review Auditor independence · ISO 19011 · Mgmt-review event with mandated inputs/outputs CA-01 — Assessment, Authorization and Monitoring Policy and Procedures · Establishes the assessment/audit policy and authority; underpins auditor independence.CA-01 CA-02 — Control Assessments · Periodic assessments of control implementation and effectiveness with documented evidence.CA-02 CA-04 — Security Certification · Formal validation that a system meets its security requirements before authorisation to operate.CA-04 T-IS-002 — Regulatory non-compliance and audit failure leading to fines, certification loss or commercial impactT-IS-002 SP-018: Information Security Management System 36 NIST 800-53 Rev 5 controls across 10 families · 12 organisational threats · Authors: Aurelius, Vitruvius · Updated 2026-05-09 PDCA rotation XX-00 NIST control (click to view) management-system boundary T-IS-NN threat (hover for detail) Owned threats: T-IS-001 governance · T-IS-002 audit failure · T-IS-003 undetected incidents · T-IS-004 drift · T-IS-007 policy non-compliance T-IS-008 knowledge loss · T-IS-009 supply chain · T-IS-011 concentration · T-IS-012 shadow AI · T-IS-013 insurance evidence · T-IS-014 multi-framework drift · T-IS-015 board training PDCA cycle is the management lifecycle. Seven KCAs decompose the work. Management body owns scope, policy, risk appetite, review and training. The umbrella under which every other OSA pattern operates.

Click any control badge to view its details. Download SVG

Key Control Areas

Context, Scope and Stakeholders

PM-11RA-03RA-09PL-10
Convergent: all five frameworks require structured understanding of context, stakeholders and scope before any controls are selected.
ISO 27001:2022
Cl. 4.1–4.3 — internal/external issues, interested parties, ISMS scope as a documented artefact.
NIST CSF 2.0
GV.OC (5 subcategories) — mission, stakeholders, legal/regulatory, dependencies.
BSI IT-Grundschutz
Strukturanalyse + Schutzbedarfsfeststellung — structured inventory + 3-tier protection-requirements analysis.
NIS2
Mostly implicit; sector-criticality drives essential/important entity classification (Annex I/II).
DORA
Art. 8 — ICT asset identification and classification.
Where they differ: ISO's interested parties is broader than NIST's stakeholders (includes society and regulators). BSI's three-tier Schutzbedarf adds an asset-classification dimension other frameworks defer to organisational policy. Owned threats: T-IS-012 shadow AI scope leakage.

Leadership and Management Body Accountability

PM-01PM-02PM-03PM-13PM-29PS-09
Convergent: top-level executive owns the ISMS — non-delegable across all five frameworks.
ISO 27001:2022
Cl. 5.1 — top-management commitment via demonstrable actions (resourcing, communication, business-process integration).
NIST CSF 2.0
GV.RR-01 — leadership is responsible and accountable… fosters a culture that is risk-aware, ethical and continually improving.
BSI IT-Grundschutz
Mandates IT-Sicherheitsbeauftragter with defined reporting line to the management board.
NIS2
Art. 20(1) — personal liability of management body. Art. 20(2) — mandatory training.
DORA
Art. 5 — board approves digital operational resilience strategy. Art. 5(4) — mandatory ICT training.
Where they differ: NIS2 and DORA introduce personal liability and mandatory board training as regulatory floor. ISO is auditable but lacks personal-liability teeth. BSI is the most prescriptive on organisational reporting line. Owned threats: T-IS-015 management body insufficient training.

Policy Framework

PL-01PL-04PL-09AT-01PS-01
Convergent: a hierarchical policy framework, approved by the management body and reviewed periodically.
ISO 27001:2022
Cl. 5.2 + A.5.1 — top-level policy + topic-specific policies, approved, communicated, reviewed.
NIST CSF 2.0
GV.PO — policy created, reviewed, updated, communicated, enforced.
BSI IT-Grundschutz
Prescribed named documents: Sicherheitsleitlinie + topic policies (Krypto-Konzept etc.).
NIS2
Art. 21(2)(a) — policies on risk analysis and information-system security.
DORA
Art. 9(1) — ICT security policies, procedures, protocols, tools.
Where they differ: BSI prescribes named documents; ISO and NIST stay vendor-neutral. NIS2 makes policy existence a regulatory floor. DORA expands beyond policy to procedures, protocols and tools. Owned threats: T-IS-007 policy non-compliance by personnel · T-IS-014 multi-framework drift.

Risk Management and Treatment

RA-01RA-02RA-03RA-07RA-09PM-09PL-10CA-05
Convergent: risk drives control selection — all five frameworks require a documented methodology, assessment, and treatment decisions.
ISO 27001:2022
Cl. 6.1, 8.2–8.3 — methodology, assessment, treatment; Statement of Applicability as the unique artefact.
NIST CSF 2.0
GV.RM + ID.RA — risk strategy with explicit appetite (strategic) vs tolerance (operational variance); CSF Profile (current/target).
BSI IT-Grundschutz
BSI 200-3 risk analysis invoked only for Hoch / Sehr Hoch protection requirements; Modellierung is the bottom-up applicability artefact.
NIS2
Art. 21(2)(a) — risk-analysis policy as a mandatory minimum measure.
DORA
Art. 6(2) — documented ICT risk assessment, reviewed at least annually by regulation.
Where they differ: ISO mandates the SoA. NIST distinguishes appetite from tolerance. BSI decouples baseline from formal risk analysis — risk methodology kicks in only above Normal protection. DORA prescribes the annual review cadence in regulation. Owned threats: T-IS-001 governance failure.

Resources, Competence and Documented Information

PM-03PM-13AT-01AT-02AT-03PL-02PL-04AU-01SA-02IR-01
Convergent: the ISMS needs documented resources, demonstrable competence, and a defined documented-information lifecycle.
ISO 27001:2022
Cl. 7.1–7.5 — resources, competence, awareness, communication, documented information (unified create/update/distribute/retain/dispose lifecycle).
NIST CSF 2.0
GV.RR-03 adequate resources + AT family for awareness + PM-13 workforce + AT-06 training feedback (measurable).
BSI IT-Grundschutz
ORP.2 (personnel) + ORP.3 (awareness/training).
NIS2
Art. 21(2)(g) — basic cyber hygiene + training. Art. 21(2)(i) — HR security.
DORA
Art. 13(6) — awareness/training. Art. 13(1) — info gathering on vulnerabilities and threats.
Where they differ: ISO Cl. 7.5 is the unified documented information lifecycle — NIST and BSI lack this single concept. NIST adds AT-06 (training feedback) as a measurement step ISO doesn't require. Owned threats: T-IS-008 knowledge loss · T-IS-013 insurance evidence failure.

Supplier and Third-Party Governance

SR-01SR-02SR-03CA-03
Convergent: every framework treats supply-chain risk as first-class; how varies dramatically.
ISO 27001:2022
A.5.19–A.5.23 — supplier relationships, agreements, ICT supply chain, monitoring, cloud.
NIST CSF 2.0
GV.SC promoted to a Govern category (10 subcategories) — reflecting SolarWinds / MOVEit / CrowdStrike learning.
BSI IT-Grundschutz
Embedded across ORP and CON modules.
NIS2
Art. 21(2)(d) — supply-chain security. Art. 22 — Union-level coordinated risk assessments.
DORA
Most prescriptive in any framework: Art. 28 register + due diligence + monitoring + exit. Art. 29 concentration risk. Art. 30 contractual minima. Art. 31–44 direct EU oversight of critical TPPs.
Where they differ: DORA is uniquely prescriptive — mandated register, exit strategies, concentration assessment, and EU oversight of critical providers. NIS2 adds sector-level coordination. ISO and NIST stay at programme level. Owned threats: T-IS-009 supply-chain gaps · T-IS-011 concentration risk.

Performance Evaluation, Audit and Continual Improvement

CA-01CA-02CA-04CA-05CA-07AU-01PM-06PM-31PL-09
Convergent: all five frameworks require monitoring + assessment + improvement; cadence and rigour vary.
ISO 27001:2022
Cl. 9.1 monitoring · Cl. 9.2 internal audit (independence mandated) · Cl. 9.3 management review · Cl. 10 continual improvement + nonconformity.
NIST CSF 2.0
GV.OV oversight · DE.CM continuous monitoring · ID.IM improvement · PM-31 monitoring strategy + CA-07 operation.
BSI IT-Grundschutz
Improvement embedded in BSI 200-1 PDCA cycle; tied to certification renewal.
NIS2
Art. 21(2)(f) — policies/procedures to assess effectiveness.
DORA
Art. 6(4) — annual review of ICT risk framework. Art. 13 — learning and evolving.
Where they differ: ISO Cl. 9.2 mandates auditor independence. NIST separates strategy (PM-31) from operation (CA-07). DORA prescribes the annual cadence in regulation. BSI ties improvement to the certification renewal cycle. Owned threats: T-IS-002 audit failure · T-IS-003 undetected incidents · T-IS-004 control drift · T-IS-013 insurance evidence · T-IS-014 multi-framework drift.

When to Use

Any organisation with a computing environment that must be secured in a structured manner to meet business, legal, regulatory, or industry requirements. Organisations pursuing or maintaining ISO/IEC 27001 certification, SOC 2 Type II examination, or BSI IT-Grundschutz certification. Organisations classified as essential or important entities under EU NIS2. Financial-sector entities subject to EU DORA. Organisations in regulated industries (financial services, healthcare, government, critical infrastructure, energy, telecommunications, postal, waste, chemicals, food, manufacturing, digital providers, research) where structured security management is mandated. Organisations whose management body is required to demonstrate cybersecurity accountability to regulators, certification bodies, customers, partners, or insurers. Organisations operating AI systems requiring ISO/IEC 42001 alignment. Organisations preparing for cyber-insurance underwriting or claim defence in an evidence-based market. Any organisation where security has become a board-level concern and structured governance is expected.

When NOT to Use

There are no legitimate contra-indications at meaningful organisational scale. Very small organisations may operate a lighter management system -- proportionality (ISO Cl. 4.3, NIS2 Art. 21(1), DORA Art. 4 and Art. 15) is built into every framework -- and may forgo formal certification. The underlying principles, however, are universal: risk-based control selection, documented intent and operation, top-management ownership, periodic review and continual improvement apply regardless of size. The objection 'we are too small for an ISMS' typically conflates the ISMS with formal certification; the management capability is independent of the audit regime. Organisations that operate exclusively through managed SaaS without any custom systems, internal data, or sensitive customer relationships may find a lighter ISMS sufficient -- but the existence of any one of those (which is rare in practice) reintroduces the need for a structured management system.

Typical Challenges

Sustaining management commitment over time is the primary challenge -- the Plan and Do phases generate visible progress, while the Check and Act phases require disciplined, repetitive work that is less visible. Policy fatigue is real: creating comprehensive policies is straightforward, but ensuring they are read, understood, followed, and kept current is a persistent challenge. Bridging the gap between governance documentation and operational reality is the central ISMS challenge -- organisations that treat the ISMS as a documentation exercise for certification purposes derive minimal security value. Internal audit independence can be difficult to achieve in smaller organisations where the security team may end up auditing its own work. Measuring ISMS effectiveness beyond compliance metrics (number of policies, audit findings closed) requires security metrics that demonstrate genuine risk reduction; ISO 27004 has not been refreshed for the continuous-compliance era. Multi-framework reporting load is now a leading source of dysfunction: organisations subject to ISO 27001, SOC 2, NIST CSF, NIS2, DORA and ISO 42001 simultaneously can spend more time mapping evidence between frameworks than improving controls, and divergence between framework-specific control sets creates inconsistency that auditors then cite as a finding. Concentration risk in shared GRC tooling and audit firms is rising: when a critical mass of an industry sector relies on the same SaaS GRC platform or audit provider, an outage or compromise of that provider becomes a sector-level event. Shadow AI adoption inside the business -- employees using ungoverned models for sensitive work -- expands ISMS scope faster than the ISMS can absorb it, and treating it as an awareness problem rather than a scope problem leaves a structural gap. Cyber-insurance underwriting has shifted from questionnaire-based assessment to evidence-based assessment, exposing gaps in evidence pipelines that ISMS programmes are sometimes slow to fill. Integration of the ISMS with adjacent management systems (quality, IT service management, privacy, AI governance under ISO 42001) adds complexity but also efficiency opportunities.

Threat Resistance

The ISMS does not directly mitigate technical threats -- those are owned by operational patterns. It mitigates twelve organisational and governance threats by ensuring that technical controls are selected based on risk, implemented correctly, operated consistently, monitored for effectiveness, and improved over time. The pattern explicitly addresses: governance failure where security decisions are made without structured risk assessment (T-IS-001); regulatory non-compliance and audit failure (T-IS-002); undetected security incidents persisting due to absent or weak monitoring (T-IS-003); control degradation and operational drift (T-IS-004); policy non-compliance by personnel (T-IS-007); knowledge loss and undocumented security processes (T-IS-008); supply chain security gaps including inherited and concentration risk (T-IS-009); concentration risk in shared GRC platforms or audit firms (T-IS-011); shadow AI usage outside ISMS scope (T-IS-012); cyber-insurance evidence failure (T-IS-013); multi-framework drift across ISO 27001, SOC 2, NIS2, DORA and ISO 42001 (T-IS-014); and management body insufficient training or competence (T-IS-015). Three operational threats are stewarded by sibling patterns and named here for completeness: T-IS-005 (inadequate incident response leading to escalated impact) is owned by SP-036 Incident Response; T-IS-006 (unmanaged vulnerabilities exploited before remediation) by SP-038 Vulnerability Management and Patching; T-IS-010 (inadequate physical and environmental protection enabling tampering, theft or environmental damage) by physical-security patterns including SP-022 Board Room and SP-016 DMZ Module. The ISMS requires their respective programmes to exist; the operational detail lives in those patterns.

Role Responsibilities

This pattern uses a three-tier role cut native to ISMS work: management body, ISMS lead, and control or asset owner. The cut differs from the developer / architect / business-owner cut used in operational OSA patterns because the audience differs -- this pattern speaks to security-management roles, not engineering roles. The management body is the board, executive committee, or equivalent collective leadership body responsible for the organisation's direction; under NIS2 Art. 20 and DORA Art. 5 its members may be personally accountable. The ISMS lead is the named accountable officer for the management system day-to-day -- the Information Security Manager, Senior Information Security Officer, IT-Sicherheitsbeauftragter (BSI), or CISO depending on context -- with a defined reporting line to the management body. Control or asset owners are the named individuals who implement and operate the controls in their domain and report on effectiveness. External roles (regulators, certification bodies, auditors, customers, insurers) are referenced where relevant but outside this matrix because they are outside the organisation's accountability boundary.

Context, Scope and Stakeholders (PM-11, RA-03, RA-09, PL-10)

Management Body

Approves the ISMS scope statement, ratifies major scope changes (e.g., AI inclusion, geographic expansion, new sector entry, new regulatory regime), and signs off on the stakeholder register at least annually.

ISMS Lead

Drafts and maintains the scope statement and stakeholder register. Runs the structured context analysis (PESTLE-style external issues plus internal issues plus dependencies) and presents findings to the management body.

Control or Asset Owner

Identifies their assets, processes, suppliers and dependencies that fall in scope. Reports scope-affecting changes (new systems, retired systems, new third parties, new AI usage) to the ISMS lead.

Leadership and Management Body Accountability (PM-01, PM-02, PM-03, PM-13, PM-29, PS-09)

Management Body

Demonstrates commitment by allocating resources, communicating the importance of security across the organisation, integrating ISMS requirements into business decisions, and participating personally in management review. Maintains required training (NIS2 Art. 20(2), DORA Art. 5(4)) to assess cybersecurity risks competently. Owns concentration-risk decisions and the organisation's overall security culture.

ISMS Lead

Reports directly to the management body or to a member designated for cybersecurity. Maintains the role-responsibility matrix; ensures every accountability is explicitly assigned to a named individual; raises cultural and resource constraints to the management body; coordinates the named-officer relationships (Senior Information Security Officer / IT-SiBe / CISO) with HR and legal.

Control or Asset Owner

Receives and acknowledges assigned accountabilities. Reports control effectiveness, exceptions, and resourcing constraints upward through the ISMS lead. Models security-aware behaviour for direct reports.

Policy Framework (PL-01, PL-04, PL-09, AT-01, PS-01)

Management Body

Approves the top-level information security policy and ratifies major topic-specific policy changes. Authorises disciplinary consequences for material policy non-compliance.

ISMS Lead

Drafts the policy framework hierarchy (top-level policy supported by topic-specific policies and procedures); manages policy lifecycle (drafting, approval, communication, training, periodic review); maintains compliance tracking against legal, regulatory and contractual obligations; owns multi-framework alignment decisions.

Control or Asset Owner

Implements policy in their domain; surfaces policy ambiguities or conflicts; reports compliance status; trains direct reports on relevant policies.

Risk Management and Treatment (RA-01, RA-02, RA-03, RA-07, RA-09, PM-09, PL-10, CA-05)

Management Body

Defines and approves the risk appetite (NIST GV.RM-02). Approves treatment decisions for risks above defined thresholds. Ratifies the control-applicability artefact (Statement of Applicability, CSF Profile, or BSI Modellierung).

ISMS Lead

Owns the risk methodology; maintains the risk register; aggregates risks from control or asset owners; recommends treatment options (mitigate, accept, transfer, avoid); maintains the control-applicability artefact; reports risk posture and trend to the management body; manages the POA&M (CA-05).

Control or Asset Owner

Identifies risks in their domain; assesses likelihood and impact using the established methodology; implements approved treatment; reports residual risk back to the ISMS lead; owns the closure of POA&M items in their domain.

Resources, Competence and Documented Information (PM-03, PM-13, AT-01, AT-02, AT-03, PL-02, PL-04, AU-01, SA-02)

Management Body

Approves the ISMS resourcing plan (budget, headcount, tooling) and competence requirements for security-critical roles. Receives the documented-information artefact set as part of management review.

ISMS Lead

Operates the documented-information lifecycle (creation, update, distribution, retention, disposal); manages the competence programme (training records, role-based competence, certifications, position descriptions); operates the named artefact set (policy, scope statement, risk register, control-applicability artefact, POA&M, audit reports, management-review minutes, performance-metrics dashboard, continuous-monitoring strategy, incident register, third-party register where applicable).

Control or Asset Owner

Maintains evidence for their domain (configuration baselines, control test results, exception logs, training completion); completes role-based training; produces and updates documented procedures for their controls.

Supplier and Third-Party Governance (SR-01, SR-02, SR-03, CA-03)

Management Body

Approves engagements with critical suppliers and accepts residual third-party risk. Owns concentration-risk decisions when many critical suppliers depend on the same upstream provider. Ratifies exit strategies for ICT third-party arrangements where required (DORA Art. 28(8)).

ISMS Lead

Owns the third-party risk programme requirement (operational details delegated to SP-042). Coordinates with SP-042 on the supplier register, criticality tiering, due diligence, monitoring, and exit. Surfaces concentration risk to the management body. Maintains alignment with NIS2 Art. 21(2)(d) + Art. 22 and DORA Art. 28-30 where applicable.

Control or Asset Owner

Operates supplier relationships in their domain; reports supplier security-relevant changes (incidents, contract changes, M&A, exit triggers) to the ISMS lead and the SP-042 programme; maintains contract clauses meeting the organisation's minimum standards.

Performance Evaluation, Audit and Continual Improvement (CA-01, CA-02, CA-04, CA-05, CA-07, AU-01, PM-06, PM-31, PL-09)

Management Body

Chairs management review at planned intervals (minimum annually; ISO Cl. 9.3 and DORA Art. 6(4)+(5)). Receives audit reports and KPI dashboards; signs off corrective action; allocates additional resources where the cycle reveals gaps. Reviews the cyber-insurance evidence pipeline.

ISMS Lead

Operates the internal audit programme with auditor independence (ISO Cl. 9.2). Operates the continuous-monitoring strategy (NIST PM-31) and performance-metrics pipeline (PM-06). Maintains the POA&M (CA-05) and the corrective-action process (ISO Cl. 10.2). Maintains framework mappings as a thin overlay (single internal control set; ISO 27001 / SOC 2 / NIS2 / DORA / ISO 42001 mapped on top) to mitigate T-IS-014 multi-framework drift.

Control or Asset Owner

Provides evidence on demand for their controls; closes findings within agreed timelines; maintains the metrics for their domain; participates in retrospectives after incidents and audits.

The management body's most critical responsibilities are approving the ISMS scope and policy, defining the risk appetite, chairing periodic management review with documented decisions, and maintaining sufficient training to assess cybersecurity risks. NIS2 Art. 20 and DORA Art. 5 make these non-delegable; ISO Cl. 5.1 makes the commitment auditable; NIST GV.RR-01 makes leadership accountable for fostering a risk-aware, ethical, continually improving culture. Without explicit decisions from the management body, the ISMS lead makes them implicitly -- and will default to whichever interpretation is cheapest or easiest to defend in audit, which is rarely best for the business.

Assumptions

PDCA-or-equivalent improvement methodology in place; senior management commitment exists, is visible, and is sustained over time; the ISMS scope is defined and documented; resources (budget, headcount, infrastructure, tooling) are allocated commensurate with scope; a risk methodology has been selected or will be established; a documented information lifecycle exists or will be operationalised; internal audit competence is available or will be developed; the organisation is aligned (or aligning) to current standards -- ISO/IEC 27001:2022 with the four-theme Annex A, NIST CSF 2.0 with its first-class Govern function, BSI IT-Grundschutz where applicable, and any sectoral regimes that apply (NIS2, DORA, sector-specific regulators); AI systems are either explicitly in ISMS scope or covered by a parallel ISO/IEC 42001 management system that integrates with the ISMS; the management body has been informed of its accountability and (where required by NIS2 Article 20(2) or DORA Article 5(4)) has access to mandatory training. The pattern assumes that the management body genuinely owns the ISMS rather than treating it as a delegated CISO concern, and that proportionality (ISO Cl. 4.3, NIS2 Art. 21(1), DORA Art. 4 and Art. 15) is applied honestly to scale measures with the organisation's size, exposure and risk profile.

Developing Areas

  • Continuous compliance automation is now table stakes but the maturity gap is widening. Platforms automate evidence collection for perhaps 60-70% of ISO 27001:2022 controls and similar percentages for SOC 2 and NIST CSF, yet the remaining controls -- those requiring judgement, organisational context, or human-process evidence -- still require manual artefact collection. Auditors and certification bodies are only beginning to accept machine-generated evidence as primary audit artefacts, creating a transitional period where organisations run parallel manual and automated processes. The maturity model is unsettled: ISO/IEC 27004 has not been refreshed to address continuous-compliance metrics, and the dominant platform vendors each define their own maturity rubrics. Expect a Common Continuous Compliance Maturity Model to emerge from the standards bodies in the 2026-2028 window.
  • ISMS scope definition is being challenged by three forces simultaneously: cloud-native architectures with shared-responsibility boundaries that shift with each provider release; permanent remote and hybrid work with employees on personal networks and devices; and AI usage that expands faster than the management system can re-scope. Traditional scope statements assumed physical office locations, on-premises data centres, and a stable supplier set. Emerging approaches treat scope as dynamic and identity-centric rather than location-based, but ISO 27001:2022 certification audits have not fully adapted. The DORA scope-by-Critical-or-Important-Function model and the NIS2 essential/important-entity classification offer a regulatory shape, but neither addresses scope velocity. Shadow AI is the most acute manifestation: when employees adopt consumer AI tools for sensitive work, the ISMS scope leaks faster than re-scoping cycles can compensate, requiring scope to become a continuously assessed property rather than an annual documented artefact.
  • Metrics-driven ISMS operation is still immature despite three decades of management-system practice. Most organisations track lagging indicators (audit findings, incidents, training completion) rather than leading indicators that predict security posture degradation. Quantitative methodologies like FAIR are gaining traction but require data that few organisations systematically collect. NIST PM-06 Measures of Performance and ISO/IEC 27004 provide the structural backbone but the industry lacks consensus on which security metrics genuinely correlate with risk reduction versus which are compliance theatre. AI-assisted analytics applied to ISMS telemetry is opening new measurement possibilities -- anomaly detection on control-effectiveness data, NLP analysis of audit findings to surface latent themes -- but is too new to have produced validated case studies.
  • GRC platform integration remains fragmented in 2026, with most organisations operating multiple disconnected tools for risk register, policy library, audit tracking, vendor management, evidence repository, and metrics dashboards. True platform convergence -- where a single system of record drives every ISMS process -- is an emerging capability that fewer than 25% of mid-market enterprises have achieved. Simultaneously, concentration risk in the dominant continuous-compliance platforms is rising: when a critical mass of an industry sector relies on the same SaaS GRC platform, an outage or compromise of that provider becomes a sector-level event. The DORA Art. 31-44 oversight framework for critical ICT third-party providers is the regulatory response, but its operational impact on GRC tooling vendors is still emerging. Open data formats (OSCAL, the Open Security Controls Assessment Language by NIST) may reduce platform lock-in but adoption remains limited.
  • DORA's oversight framework for critical ICT third-party providers (Articles 31-44) has begun reshaping the ICT supply landscape from January 2025 onwards. The European Supervisory Authorities (ESAs) designate critical providers -- likely including hyperscale cloud providers, dominant authentication services, and major application platforms -- and assign Lead Overseers with direct supervisory authority. The downstream effect on ISMS programmes is significant: previously the regulatory burden on a SaaS or cloud provider was indirect (via customer financial entities); now the provider can be supervised, examined, and required to remediate findings directly. Financial-entity ISMS programmes will need to monitor their providers' Lead-Overseer engagement, factor it into concentration-risk decisions, and update third-party registers and exit strategies accordingly. The first round of designations and supervisory actions in 2025-2026 will define the operating practice.

Related Patterns

Patterns that operate within or alongside this one. Click any to view.

SP-010 Identity Management SP-013 Data Security SP-014 Awareness and Training SP-029 Zero Trust Architecture SP-031 Security Monitoring and Response SP-032 Modern Authentication SP-034 Cyber Resilience SP-035 Offensive Security Testing SP-036 Incident Response SP-038 Vulnerability Management and Patching SP-042 Third Party Risk Management SP-045 AI Governance and Responsible AI
AT: 3AU: 1CA: 6IR: 1PL: 5PM: 9PS: 2RA: 5SA: 1SR: 3
AT-01 Awareness And Training Policy And Procedures
AT-02 Security Awareness Training
AT-03 Role-Based Training
AU-01 Audit And Accountability Policy And Procedures
CA-01 Assessment, Authorization, And Monitoring Policy And Procedures
CA-02 Control Assessments
CA-03 Information Exchange
CA-04 Security Certification
CA-05 Plan Of Action And Milestones
CA-07 Continuous Monitoring
IR-01 Incident Response Policy And Procedures
PL-01 Security Planning Policy And Procedures
PL-02 System Security Plan
PL-04 Rules Of Behavior
PL-09 Central Management
PL-10 Baseline Selection
PM-01 Information Security Program Plan
PM-02 Senior Information Security Officer
PM-03 Information Security And Privacy Resources
PM-06 Measures Of Performance
PM-09 Risk Management Strategy
PM-11 Mission And Business Process Definition
PM-13 Security And Privacy Workforce
PM-29 Risk Management Program Leadership
PM-31 Continuous Monitoring Strategy
PS-01 Personnel Security Policy And Procedures
PS-09 Position Descriptions
RA-01 Risk Assessment Policy And Procedures
RA-02 Security Categorization
RA-03 Risk Assessment
RA-07 Risk Response
RA-09 Criticality Analysis
SA-02 Allocation Of Resources
SR-01 Supply Chain Risk Management Policy And Procedures
SR-02 Supply Chain Risk Management Plan
SR-03 Supply Chain Controls And Processes