What does it mean when ISO 27001 references an ISMS? An ISMS is an information security management system. This essentially means that it is a programmatic structure that allows you to build a security framework and controls specific to and catered to your organization.
This approach and methodology is very different to popular frameworks in the industry today such as PCI, HIPAA or NIST. In other words, common industry frameworks such as PCI HIPAA or NIST provides a catalog of security controls that you use to benchmark your organization against as a best practice. The ISO 27001 ISMS guides you through a series of steps and processes to build and select security controls that are appropriate and right sized for your organization.
At a high-level, the ISO 27001 ISMS encourages an organization to document the people, process, technologies in scope for their ISMS. The ISO 27001 documentation provides the methodology, required documentation, and structure needed to select the correct security controls for your organization to mitigate actual and real security risks to people, process, and technology supporting your business.