Back to Blog

The Manifesto for Information Security Management

March 23, 2026

Company

We are proving that every organization can build a mature security management system by themselves, creating compliance without complexity. Security management that adds actual business value by facilitating agility instead of introducing rigidity. Without hefty consulting bills.

Through working with our clients we have come to value:

  • Business over security
  • Purpose over policy
  • Iteration over perfection
  • Risk-based decisions over checkbox compliance

While there is value in the items on the right, the items on the left are what makes security last.

Our 10 Principles for implementing an effective ISMS

We follow these principles:

  1. Our highest priority is to enable the business to achieve its goals with effective information security.
  2. Adaptability is the foundation of good security.
  3. Accountability for security rests with business management.
  4. Every employee, at every level, carries an active responsibility for security within their own work scope. Leadership creates the conditions for this to happen.
  5. Security professionals and business stakeholders meet regularly, face to face, to discuss risks and measures in the context of real work.
  6. An exception properly handled is better than a rule blindly followed. Deviations are mostly a sign of bad policies, not of bad people.
  7. Abstract risks breed diffuse responsibilities. A risk that belongs to everyone is a risk that belongs to no one.
  8. Risk arises where work is done. Those doing the work are best placed to identify it.
  9. Maturity requires reflection. Regularly examine what is working, what is not, and why. Adjust accordingly.
  10. Do the right thing!

By following these principles, any organisation can build information security management that enables the business, adapts to change, and is carried by everyone in it.

© 2026 Thinking Security Works