An Information Security Management System (ISMS) is a systematic framework of policies, procedures, and controls for managing an organization's information security risks. As defined by standards like ISO/IEC 27001, an ISMS provides a holistic and coherent approach by integrating security into the organization's processes and overall management structure. It ensures that security efforts are consistently applied, managed, and aligned with business objectives, thereby creating a coherent security organization. This system is not just about technology but encompasses people, processes, and technology, managed through a continuous improvement cycle (Plan-Do-Check-Act).

A. Federal Information Security Management Act (FISMA) is a specific US federal law mandating security practices for federal agencies, not a general type of management system.

B. Information Technology Service Management System (ITSM) focuses on the delivery of IT services to users, not primarily on the organization-wide management of information security.

D. Information Exchange Data System (IEDS) is a term for a technical system used for data transfer, not a recognized management framework for organizational security.

1. ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Section 0.1, "General," states that the adoption of an ISMS is a strategic decision to manage information security risks and that the standard specifies requirements to establish, implement, maintain, and continually improve this system.

2. Humphreys, E. (2016). Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House. In Chapter 1, "What is an ISMS?", it is explained that an ISMS provides the "coherent set of policies, processes, and systems for managing risks to its information assets" (p. 3).

3. Von Solms, B., & Von Solms, R. (2004). The 10 deadly sins of information security management. Computers & Security, 23(5), 371-376. https://doi.org/10.1016/j.cose.2004.05.002. The paper advocates for a holistic ISMS to overcome fragmented and incoherent security approaches, treating information security as a management issue.