Is having an information security management system equal to actual security?
Nop! Having an information security management system is not an indication of quality of security controls. Management systems are easier way of administration in a standard and systematic way, but they do not necessarily an indication of security control effectiveness.
As an example, ISO 27001 as one of the most popular information security management system to date, has no effect on the quality of your controls, as there is no judgement on implementation quality, effectiveness and type of security controls. It is just the judgement of logic.
This is no surprise though comparing to any other management system like ISO 9001 famous Quality where you can find thousands of firms holding to that certification with lowest quality of products. You will find same number of firms holding tightly to their ISO 27001 certification as an indication of “presence of quality security” but literally are at the lowest bracket of information security effectiveness in practice.
Let’s say one has a system to fully manage firewall within an enterprise, all the rules are justified, reviewed and approved by head of your technology department (which FYI you could barely find such a well-managed system, but still let’s pretend it’s not a big deal). Does it mean firewall rules are technically security and configured in a way that address organization concerns?!
However, an information security management system, whether globally recognized like ISO 27001 or organically internally created by your organization could be the best tool to approach your security program; it is all about execution and understanding of information security elements ‘particularly in regards to your business’.