The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, process and system to manage risks to its information assets, thus ensuring acceptable levels of information security risks.