It refers to all the measures taken by an organization to protect its sensitive information. It refers to the performance of an information risk analysis following which it is decided what measures should be taken: physical security measures, protection of information regarding human resources, security measures in the IT area, in order to restrict and protect access to organization information or information. customers owned by the organization. SMSI refers, among other things, to creating a business continuity framework in the event of a disaster, reporting security incidents, complying with legal requirements (eg licensing all software used, setting passwords on workstations, protecting the archive and documents in physical / electronic format, etc.)

Approximately 60% of the requirements of the standard refer to protection measures of IT and communications equipment as most of the information is found in this environment, in any company.
Unlike ISO 20000, it applies in any organization, regardless of size and type of activity.