Which standard emphasizes the continuous improvement of an information security management system?

ISO/IEC 27001 is the standard that focuses on establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It is designed to help organizations protect their information systematically and cost-effectively, through the adoption of best practices in information security. The emphasis on continuous improvement aligns with the Plan-Do-Check-Act (PDCA) model, which is integral to the standard. This model encourages organizations to regularly assess and enhance their ISMS to adapt to evolving threats and business needs.

While other standards such as ISO/IEC 27002 offer guidelines on best practices and controls for managing information security risks, they do not specifically emphasize the continual improvement of an ISMS. ISO/IEC 27003 provides guidance for the implementation of an ISMS, and ISO/IEC 27004 focuses on the measurement of ISMS effectiveness, neither of which directly addresses the overarching continuous enhancement aspect as thoroughly as ISO/IEC 27001.