However, organizations are free to select and implement other controls as they see fit. The standard is explicitly concerned with information security, meaning the security of all forms of information e. The specific information risk and control requirements may differ in detail but there is a lot of common ground, for instance most organizations need to address the information risks relating to their employees plus contractors, consultants and the external suppliers of information services. Like governance and risk management, information security management is a broad topic with ramifications throughout all organizations. ISMS implementation guidance and further resources.
