With the widespread dissemination of Information Technology in enterprises and households in the mid-90s, discussions began on how to manage it. Meanwhile, in the area of enterprise security management systems worldwide, enforced use of the Deming cycle initially worked against the implementation of policies. Standard management systems include ISMS (Information Security Management System) as specified in ISO 27001, BCM (Business Continuity Management System) as specified in BS 25999, and ITSM (Information Technology Service Management System) as specified in ISO 20000. In contrast to policies, these best-practice management systems continue to operate today with no formal method. Management systems have, however, some advantages that policies do not have. In this chapter, the authors present possible uses of policies with respect to management systems and identify potential applications. Furthermore, the authors present a field study, cited here, which highlights the advantages of management systems in practice. Moreover, this chapter shows how a formal description of an information security management system can be created by means of discrete-event systems theory and how an objective function for management systems can be defined.