There are many definitions of a management system, but here are two that get straight to the point:
“A management system describes the set of procedures an organization needs to follow in order to meet its objectives… This process of systemizing how things are done is known as a management system.” – ISO.org
“A management system is the framework of policies, processes, and procedures used by an organization to ensure that it can fulfill all the tasks required to achieve its objectives.” – Wikipedia.org
In my mind, a management system is the way in which an organization will standardize its processes in order to consistently achieve its intended outcomes. Every management system is unique, there is no cut-paste approach to the implementation of an effective management system. What works for one may or may not work for another.
Note how management systems are all about achieving “objectives”. The emphasis is on the effective management of business processes and, a phrase you will hear a lot, continual improvement. So management system standards are very generic, they do not tell you how you will achieve your objectives, just that management must set objectives relevant to the context of the organization, and establish the processes and controls necessary to achieve them.
When we talk about an information security management system, we are basically given the same recipe for effective management as we’ll get in other management system standards, such as ISO 9001 for a quality management system or ISO 22301 for a business continuity management system. The difference between them really lies in the setting of objectives. In information security, our objectives focus on our intention to preserve the confidentiality, integrity, and or availability of information in business processes; whereas, in quality, our objectives will focus on enhancing a customer’s satisfaction with our product or services.
To summarize, management system standards define requirements for organizations that describe the ‘what’, not the ‘how’.
Requirements across different management system standards are mostly synchronized in their general approach, and require the organization to establish, implement, operate, monitor, review, and continually improve business processes in order to achieve objectives.
These standards can be implemented in any type of company, large, small, public, private, and are not specific to any industry.
Companies who claim conformity to management system requirements can be independently audited. Auditors will assess, based on objective evidence, the extent to which the organization meets requirements and achieves its objectives. This is the reason why certification bodies are able to conduct and issue accredited certification to organizations, which is not the case for standards such as ISO/IEC 27002 and ISO 31000, which provide ‘guidance’ information, not ‘requirements’.