The ISMS will bring information security under firm management control, allowing direction and improvement where needed. Better information security will reduce the risk (probability of occurrence and/or adverse impacts) of incidents, cutting incident-related losses and costs.