Which standard outlines the steps to create an Information Security Management System (ISMS)?

The standard that outlines the steps to create an Information Security Management System (ISMS) is ISO/IEC 27001:2013. This standard provides a comprehensive framework for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organization's overall business risks.

ISO/IEC 27001:2013 focuses on risk management and the requirements for creating an ISMS, including policies, procedures, and controls necessary to manage sensitive company information systematically. It aims to protect the confidentiality, integrity, and availability of information by applying a risk management process.

This standard also includes guidance on assessing and treating information security risks tailored to the needs of the organization, making it a critical resource for organizations looking to improve their information security practices. The updates in the 2013 version reflect changes in the technological landscape and address contemporary security challenges effectively.

In contrast, while ISO/IEC 27001:2005 and ISO/IEC 27001:2011 are earlier versions, they lack some of the improvements and clarifications that were made in the 2013 standard, making the latter the most relevant choice for creating and maintaining an effective ISMS today.