ISO/IEC 27000:2018(E) and improving an organization's information security to achieve business objectives. The following fundamental principles also contribute to the successful implementation of an ISMS: a) awareness of the need for information security; b) assignment of responsibility for information security; c) incorporating management commitment and the interests of stakeholders; d) enhancing societal values; e) risk assessments determining appropriate controls to reach acceptable levels of risk; f) security incorporated as an essential element of information networks and systems; g) active prevention and detection of information security incidents; h) ensuring a comprehensive approach to information security management; i) continual reassessment of information security and making of modifications as appropriate.In terms of information security, a management system allows an organization to: a) satisfy the information security requirements of customers and other stakeholders; b) improve an organization's plans and activities; c) meet the organization's information security objectives; d) comply with regulations, legislation and industry mandates; and e) manage information assets in an organized way that facilitates continual improvement and adjustment to current organizational goals.Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes, procedures, organizational structures, software and hardware to protect the identified information assets.Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS.Information security involves the application and management of appropriate controls that involves consideration of a wide range of threats, with the aim of ensuring sustained business success and continuity, and minimizing consequences of information security incidents.12 (C) ISO/IEC 2018 - All rights reserved ISO/IEC 27000:2018(E) In terms of an ISMS, management involves the supervision and making of decisions necessary to achieve business objectives through the protection of the organization's information assets.Management of information security is expressed through the formulation and use of information security policies, procedures and guidelines, which are then applied throughout the organization by all individuals associated with the organization.This technology is often an essential element in the organization and assists in facilitating the creation, processing, storing, transmitting, protection and destruction of information.These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific information security and business objectives of the organization are met.The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.Any activity using resources needs to be managed to enable the transformation of inputs into outputs using a set of interrelated or interacting activities; this is also known as a process.Information can be transmitted by various means including: courier, electronic or verbal communication.Management structures extend from one person in a small organization to management hierarchies consisting of many individuals in large organizations.4.2.2 Information Information is an asset that, like other important business assets, is essential to an organization's business and, consequently, needs to be suitably protected.Information can be stored in many forms, including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees.Relevant information security controls are expected to be seamlessly integrated with an organization's business processes.4.2.4 Management Management involves activities to direct, control, and continually improve the organization within appropriate structures.Management activities include the act, manner, or practice of organizing, handling, directing, supervising, and controlling resources.The output from one process can directly form the input to another process and generally this transformation is carried out under planned and controlled conditions.It is based on a risk assessment and the organization's risk acceptance levels designed to effectively treat and manage risks.4.3 Process approach Organizations need to identify and manage many activities in order to function effectively and efficiently.4.2.3 Information security Information security ensures the confidentiality, availability and integrity of information.4.2.5 Management system A management system uses a framework of resources to achieve an organization's objectives.In many organizations, information is dependent on information and communications technology.Whatever form information takes, or the means by which it is transmitted, it always needs appropriate protection.