Training

ISMS, AIMS & PIMS — the three management systems, in plain English

Whether you're preparing for certification or just want your team to understand what they're part of, this is a grounding in the three certifiable management systems Compliance365 works in: the ISMS (information security), the AIMS (AI governance) and the PIMS (privacy) — what each is, why it matters, and what "good" looks like.

Suitable as staff-awareness material (ISO 27001 Clause 7.3) — each section ends with a short knowledge check.

The common backbone

All three run on the same engine

A "management system" isn't paperwork — it's a way of running something on purpose so it keeps working. Every ISO management system shares one harmonised structure (called Annex SL) and one engine: Plan – Do – Check – Act.

You plan (understand your context, scope the system, assess risk, set objectives), do (implement controls and actions), check (scan, audit and measure whether it's working), and act (correct what fell short and improve). Then you go round again. This is why an organisation with a working ISMS already has most of what an AIMS or PIMS needs — the backbone is identical; only the subject changes.

Certification is an accredited third party confirming that engine genuinely turns — not that you own a binder of policies.

PlanContext, scope,risks, objectivesDoImplementcontrols & actionsCheckScan, audit,measureActCorrect, improve,management reviewCONTINUALIMPROVEMENT

Plan-Do-Check-Act — the continual-improvement cycle under ISO 27001, 42001 and 27701 alike.

ISMS · ISO/IEC 27001

Information Security Management System

Protect the confidentiality, integrity and availability of information — systematically, and provably, not by luck.

An ISMS is the framework of policies, processes, roles and controls an organisation uses to manage information-security risk on purpose. ISO 27001 is the international standard you certify against. The point isn't a folder of policies — it's a living system that identifies risk, treats it, checks that the treatment worked, and improves. Certification is an accredited auditor confirming that system genuinely runs.

The anatomy

Scope & context What the ISMS covers, and the internal/external issues and interested parties that shape it (Clause 4).
Risk assessment & treatment Identify information-security risks, decide how to treat each (mitigate / accept / transfer / avoid), and track it to closure (Clause 6.1, 8).
Statement of Applicability The signature artifact: every Annex A control, whether it applies, its status, and a justification for anything excluded (Clause 6.1.3).
Objectives Measurable information-security objectives, and evidence you are meeting them (Clause 6.2).
Internal audit & management review The organisation audits its own ISMS, and top management reviews it at planned intervals (Clauses 9.2, 9.3).
Nonconformity & improvement When something falls short, record it, find the root cause, correct it, and verify the fix held (Clause 10).

Who does what

  • Top management — owns the ISMS, provides resources, chairs the management review
  • ISMS / security lead — runs the day-to-day system
  • Risk & control owners — accountable for specific risks and controls
  • Internal auditor — independent of what they audit
  • Everyone — awareness of their part in keeping information secure (Clause 7.3)

What "good" looks like

Risks trace to treatments trace to evidence. The SoA is current. Objectives are measured, not aspirational. Internal audits and management reviews happen on schedule and produce actions. Residual risks left after treatment carry documented owner acceptance. Nothing is assembled the night before the audit.

Check your understanding

Q1 What does the Statement of Applicability actually state?

For every Annex A control: whether it applies to your organisation, its implementation status, and — crucially — a documented justification for any control you have excluded. It is the first document most auditors open.

Q2 A risk is left at "Medium" after treatment. What does an auditor expect to see?

Documented acceptance of that residual risk by its owner (or an appropriate authority) — who accepted it, when, and on what basis. Treating a risk does not always mean eliminating it; accepting the remainder is a legitimate decision, but it must be recorded.

Q3 Why run an internal audit if an external auditor is coming anyway?

ISO 27001 Clause 9.2 requires it independently. The internal audit is how the organisation checks its own ISMS between certification visits and feeds nonconformities into corrective action — it is evidence the system is self-correcting, not just audit-ready once a year.

AIMS · ISO/IEC 42001

AI Management System

Govern the development and use of AI so it is responsible, transparent and accountable — before a regulator or a customer asks you to prove it.

ISO 42001 (2023) is the first certifiable AI management-system standard. It extends the same management-system backbone to the specific risks AI introduces: bias, opacity, loss of human oversight, misuse, and unexpected impact on people. It doesn't ask you to stop using AI — it asks you to know what AI you run, assess its impact, keep a human meaningfully in control, and be able to explain it.

The anatomy

AI system inventory A register of the AI systems you build or use — purpose, data sources, model type, vendor, and who owns each.
AI risk & impact assessment For each system, an assessment of its risk to individuals and society, not just to the business — the AI equivalent of a risk assessment.
Risk tiering Classifying systems by impact so oversight is proportionate — a chatbot and a decision that affects someone's livelihood are not the same.
Human oversight Documented, meaningful human control over consequential AI decisions — who can intervene, and how.
Transparency & accountability Being able to explain what a system does, on what data, and who is answerable for it.
The shared backbone Scope, objectives, internal audit, management review and continual improvement — identical Annex SL structure to an ISMS.

Who does what

  • Top management — accountable for responsible-AI policy and resourcing
  • AI governance lead — maintains the inventory and the assessment process
  • AI system owners — accountable for a specific system's impact and oversight
  • Reviewers — independent check on impact assessments
  • Users — trained on the approved, in-control way to use each system

What "good" looks like

Every AI system in use is in the inventory (including the shadow ones). Each has an impact assessment proportionate to its risk tier. Human oversight is defined and real, not a checkbox. You can answer "what AI do you use, and how do you keep it safe?" without a scramble.

Check your understanding

Q1 ISO 42001 is about stopping AI use. True or false?

False. It is about governing AI use responsibly — knowing what you run, assessing its impact, keeping humans in control, and being accountable. It enables confident AI adoption, it does not prohibit it.

Q2 What makes an AI impact assessment different from a normal risk assessment?

It weighs impact on individuals and society — fairness, transparency, autonomy, potential harm — not only impact on the business. A system can be low business-risk and high individual-risk at the same time.

Q3 Why does AIMS use the same structure as ISMS?

Both follow ISO's Annex SL harmonised structure (scope, leadership, planning, support, operation, evaluation, improvement). That means an organisation with a working ISMS already has most of the machinery — 42001 adds the AI-specific content, not a whole new system.

PIMS · ISO/IEC 27701

Privacy Information Management System

Extend information security to the protection of personal information — and demonstrate you handle privacy the way regulators and customers now demand.

ISO 27701 is an extension of ISO 27001, not a standalone standard — you build a PIMS on top of a working ISMS. It adds privacy-specific requirements and controls for organisations acting as PII controllers (you decide why and how personal data is processed) and/or PII processors (you process it on someone else's behalf). It maps closely to GDPR and similar laws, so a PIMS is often how organisations operationalise their privacy obligations.

The anatomy

Records of Processing Activities (ROPA) What personal data you hold, why, on what legal basis, where it flows, and how long you keep it — the backbone privacy artifact.
Controller vs processor roles Being clear, per activity, whether you decide the purpose (controller) or act on instructions (processor) — your obligations differ.
Data subject rights A process to handle access, correction, erasure and objection requests within legal timeframes.
Privacy risk / DPIA Assessing privacy risk for high-risk processing (a Data Protection Impact Assessment), and treating it.
Privacy by design Building data minimisation, purpose limitation and retention into processes, not bolting them on.
Built on the ISMS All the ISMS machinery — risk, controls, audit, review — extended with the privacy controls of ISO 27701's Annexes.

Who does what

  • Top management — accountable for the privacy programme
  • Privacy lead / DPO — owns the ROPA and rights-handling
  • Process owners — accountable for privacy in their processing activities
  • Everyone handling personal data — trained on their obligations
  • Internal auditor — checks the PIMS alongside the ISMS

What "good" looks like

The ROPA is complete and current. Controller/processor roles are clear per activity. Data-subject requests have a defined, timed process. High-risk processing has a DPIA. Privacy is designed into new processes. And because it extends the ISMS, none of this is a parallel, duplicated system.

Check your understanding

Q1 Can you certify to ISO 27701 on its own?

No. ISO 27701 is an extension of ISO 27001 — you need a working ISMS as the foundation, then add the PIMS requirements and privacy controls on top. They are audited together.

Q2 What is a ROPA, and why does it matter so much?

A Record of Processing Activities: what personal data you process, why, the legal basis, data flows and retention. It is the foundation artifact of a privacy programme — most other privacy obligations (rights handling, risk assessment, breach response) depend on knowing what you hold in the first place.

Q3 You process personal data strictly on a client's instructions. Which role are you?

A PII processor. The client, who decides the purpose and means of processing, is the controller. Your obligations as a processor differ from a controller's — ISO 27701 requires you to be clear which hat you wear for each activity, and some activities may make you both.

From theory to running system

Checkpoint is where these systems actually run

Everything above is the theory. Checkpoint is the console Compliance365 delivers it in — the risk register, the Statement of Applicability, the AI system inventory, the privacy records, the internal-audit and management-review cadence — all live in your own Microsoft 365 tenant.

See how Checkpoint runs it, end to end →

Want this delivered to your team?

We run tailored awareness and practitioner training on the ISMS, AIMS and PIMS as part of every engagement — grounded in your own scope, your own risks, and the console your team will actually use.

Book a training session More guides & resources
Microsoft Teams