In every organization, regardless of its location, size or business area, there are always some risks, including financial risks, legal risks like non-compliance, penalties, etc. While some types of risks can hardly get controlled, most internal risks can be handled within the organization. Thereby, it is important to understand two terms, ISMS and ISO 27001. The ISMS: Information Security Management System (ISMS) is a standard specified framework of policies that holds all legal, physical and technical controls involved in an organisation’s risk management processes. The ISO 27001 was laid down to offer a model for establishing, reviewing, operating, implementing, monitoring, maintaining and improving a security management system.