The majority of organisations now generally have a number of information security controls in place. Whilst this is laudable, there is, unfortunately, still a problem which Krypsys sees on a recurring basis. Without a formal Information Security Management System (ISMS), these security controls have a tendency to be disorganized, haphazard or disjointed. The reason for this is simply down to the fact that the controls have usually been implemented partly as specific solutions for specific situations, or introduced as a matter of convention. The security controls in operation today, unfortunately, only typically address certain aspects of IT or data security, leaving non-IT information assets like paperwork and proprietary knowledge less protected and vulnerable. Sometimes business continuity planning and physical security might be managed independently of IT or information security, whilst Human Resources practices may not recognise the need to define and assign information security roles and responsibilities throughout the organization. The ISO/IEC 27001 standard was introduced to address these issues.