I recently had a short gig at a local internet carrier where I got in touch with the topic of ISO/IEC 27001 - which is fundamentally relevant to the protection of information. Briefly, the standard deals with the implementation, maintenance, and continuous improvement of an Information Security Management System, abbreviated to ISMS. This system ensures that standard measures (‘controls’) are implemented so that information is safe. I never fully understood how Risks, Controls, Processes, and Policies worked together in a unified way and how they fit into the bigger picture.