The most important things in a nutshell

  • An Information Security Management System (ISMS) describes policies, procedures and responsibilities with the goal of ensuring information security in an organization.
  • The increasing importance of data and equally increasing regulatory pressure in companies not least due to data-driven business models makes a holistic protection of data inevitable
  • Drivers for implementation are customer requirements (TISAX®) or regulatory requirements for data protection.
  • The management of the company is responsible for the protection of data. Often, the responsibility is delegated to an (IT) security officer.
  • An ISMS does not replace a DSM, but provides a very good basis for it.
  • When implementing an Information Security Management System, it is recommended to follow international standards such as ISO/IEC 27001.
Serie Informationssicherheit
  1. What is Information Security?
  2. Information Security Management Systems (ISMS)

What is an information security management system?

An Information Security Management System (ISMS, engl. Information Security Management System) describes guidelines, procedures and responsibilities with the aim of permanently ensuring, controlling and continuously optimizing information security in a company.

An ISMS typically addresses the behavior and procedures of employees as well as With data and technologies. It may be focused on a specific type of data focused, such as customer data.

An ISMS can be set up in accordance with the ISO 27001 standard, for example. This does not prescribe any specific measures but contains goals as well as suggestions for documentation, internal audits, continuous improvement and other improvement and other topics. Admittedly, the supporting standard ISO/IEC 27002 or also the VDA/ISA question catalog for TISAX very well contain concrete measures for implementing the goals.

How does an ISMS work?

A functioning information security management system must accommodate ever-changing requirements. This follows from the simple observation that it is not enough to determine once what corporate assets are worth protecting and establish guidelines, processes and procedures to protect them. A well-known method for continuous improvement is the PDCA cycle (also called the Deming cycle), which is familiar from ISO 9001 quality management.)

Applied to information security, this results in a "wheel" that is in constant forward motion, reaching an ever-higher level of maturity over time through the continuous improvements that take place.

Planning (PLAN)

  • Planning of a new ISMS or planning of adaptations of an existing ISMS.
  • Coordination on the objectives, resources and the time window.
  • Definition & update of
    • Information Security Policy.
    • Risk identification & risk analysis (e.g. how do I assess the damage to the company if customer data becomes publicly available after a ransomware incident).
    • Action selection (how do I want to deal with the risks identified as problematic).
    • What residual risks remain after the selection of measures

Implementation (DO) - ongoing ISMS operation

  • Implement the measures designed during the PLAN phase.
  • Awareness measures for the employees
  • Detect and handle security-related events (incident detection & incident response).

Check (CHECK)

  • Evaluate the ISMS through reports, audits, etc.
  • Through moderate testing, quality statements about the economic added value, the strengths and weaknesses of the ISMS can be recorded.

Maintain and Improve (ACT)

  • Implementing "lessons learned" continuously improves the information security management system.
  • Check whether the specified measures have also achieved the intended objectives.

Components of an ISMS


Minimum components of a fundamentally effective ISMS should be defined responsibilities for information security, a security guideline approved by management with an implementation and improvement process. The security guideline (also known as security policy) defines basic requirements for information security from the perspective of the company or organization.

Depending on the desired design, the ISMS can also be based on well-known standards such as the ISO/IEC 27001 series of standards, VDA/ISA (TISAX®) or ISIS12 . In such cases, however, an ISMS is then also often more comprehensive.

Who is responsible for information security?

Information security management is the responsibility of senior management. After approving an information security policy, specific implementation is usually delegated to employees such as IT security officers and data protection officers.

An important success factor when implementing an ISMS is the support of the company's management.

Obviously, "information security" cannot be introduced single-handedly by the IT department either. the selection and implementation of appropriate information security measures is always teamwork. This can only succeed through collaboration between business departments, IT and those responsible for IT security.

Why is an information security management system important?

Nowadays, companies not only store and process information about products and developments, but often also a large amount of data about their own customers. This includes behavioral analysis, personal information, credit card and payment data, information about health and much more.

The increasing collection of corporate data in recent years, as well as the growing threat of cyberattacks and data breaches, have led to significant advancements in the area of corporate information security management. Not entirely uninvolved are also the current requirements for data protection (DSGVO, EU-GDPR) with a considerable range of penalties.

What are the benefits of an information security management system?

A holistic, preventive approach to ensuring information security offers several benefits to businesses and organizations:

Company-wide protection of sensitive information

. An ISMS ensures that own information assets as well as data of customers or third parties, are adequately protected against all threats.

Higher stability of business processes

. By making information security an integral part of business processes through an ISMS, organizations can minimize their information security risks. This prevents security incidents from causing disruptions.

Meeting customer compliance requirements

. Quite extensive compliance requirements now apply in many sectors, whether in finance, critical infrastructures (KRITIS) or even the automotive industry with TISAX® / VDA-ISA. Non-compliance with legal and contractual regulations can result in penalties or even the exclusion from expiring contract awards. With an ISMS, companies ensure that they comply with all regulatory and contractual requirements, giving them greater operational and legal certainty at the same time.

Improved efficiency and cost reduction

. With centralized coordination and a risk-based action plan, an ISMS can help prioritize scarce human and financial resources. After an initial cost overrun, costs can be reduced in the long run.

What is ISMS certification (BSI IT-Grundschutz, ISO 27001, TISAX, KRITIS)?

By certifying their ISMS, companies can demonstrate secure handling of sensitive information to third parties. This contributes to a better external image and trust-building, which in turn means a competitive advantage.

The establishment of an ISMS is also required by regulatory requirements, such as Section 91 (2) of the German Stock Corporation Act (AktG), the IT Security Act, Basel II, MaRisk or the General Data Protection Regulation. In the case of critical infrastructures (KRITIS), the IT Security Act requires certification of facilities that are of high importance.

For this purpose, there are both industry-independent certifications such as ISO/IEC 27001, ISO/IEC 27001 based on IT-Grundschutz or KRITIS. As an example of an industry-dependent label, TISAX® for the automotive industry should be mentioned.

A certification of the ISMS according to ISO/IEC 27001, but also in an assessment for a TISAX® label, the ISMS is always audited. This involves an external audit to check whether the information security management system meets all the requirements necessary for the respective certification.

Example of an ISMS


The BSI has used a medium-sized, but fictitious, example company, the RECPLAST GmbH, reference documents for the introduction and operation of an ISMS based on the BSI standard IT-Grundschutz.

With an ISMS, do I still need a data protection management system?

While an ISMS fundamentally helps protect information, it does not necessarily also meet regulatory data protection requirements regarding the processing of personal data. Information security and data protection do attempt to achieve similar protection goals, yet an ISMS does not replace a data protection management system (DMS).

Ideally, however, a DSMS builds on an ISMS and extends it technically as well as organizationally in accordance with the data protection requirements (Art. 25 and 32 DSGVO). Close cooperation between information security officers and data protection officers is advantageous for this purpose. and data protection officers.

What are the key steps to implementing an information security management system?

The following steps should be followed for efficient and effective implementation of an ISMS:

Determine the scope


One of the first steps is to clarify what the ISMS should accomplish. To do this, management must define the framework, scopes, objectives and boundaries of the ISMS in a security guideline.

Identify the corporate assets worth protecting


What assets should be protected by the ISMS? These can be customer data, company data, source code, tangible assets such as computers, but also intangible assets such as employee qualifications, skills and experience. The focus is on important and business-critical values that are crucial to the success of the company.

Identifying and assessing risks


For each asset worth protecting, potential risks must be identified. For example, organizations should ask what the impact of the risk would be if confidentiality, integrity and availability were breached. Finally, this results in an assessment of which risks are still acceptable to the company based on the expected extent of damage and which must absolutely be reduced or eliminated.

Determining measures


Based on the preceding risk assessment, appropriate and realistic technical and organizational measures for risk reduction or risk avoidance must be selected and implemented.

Implementation of measures


The defined measures should now be translated into operational reality. If possible, the measures should be measurable, for example by defining KPIs (key performance indicators).

With the actions shown so far, preparations for ISMS operations are already very far advanced and can now be transferred to the ISMS control loop.

Verify effectiveness

The measures adopted and implemented must be continuously monitored and regularly checked for effectiveness.


If deficiencies are found in the implemented measures, or even new risks are identified - the ISMS process must be run through again.

In this way, the ISMS can be continuously adapted to changing conditions or requirements and information security in the company can be continuously improved.

What can companies look to for guidance when implementing an ISMS?

Greenfield or best-practice approach? Established standards such as the ISO 27000 family can be helpful when implementing the necessary security measures.

An ISMS developed according to these standards makes it possible to identify risks at an early stage and to minimize them by means of tailor-made countermeasures to minimize them. This enables companies to achieve the primary protection goals of confidentiality, availability and integrity of managed information. Afterwards, certification according to ISO 27001 or a TISAX®-label is relatively easy to achieve.

SMEs and small municipalities, can also be guided by the simplified standard ISIS12 when setting up an ISMS. This consists of a pragmatic twelve-step plan.

Why is an ISMS not a software product?

An information security management system is composed of responsibilities within the company or organization, as well as policies, standards and processes.

Of course, there are IT-based ISMS tools that simplify the daily work with the ISMS. Any search engine will unearth a myriad of solutions and tools. For example, tools for the software-supported execution of risk management processes or the management of internal corporate security policies.

Experience has shown that a set of good and proven templates for a new ISMS is very valuable and can greatly accelerate the implementation of an ISMS. Likewise, a software-supported approach to risk management is highly recommended to everyone. It is no longer easy to say in general terms whether further helpers are needed.

In any case, it is advisable to take a brief look at the tools currently available.

Nevertheless, an ISMS is a management system for information security - and this is, by its very nature, not software.

Releated Content

Have we sparked your interest?

Just give us a call or write us a message!

Erfolgreich! We have received your request. Thank you very much.
Fehler! An error occurred while sending. Please use another way to contact us!

We use cookies to improve user experience and analyze website traffic. Read about how we use cookies and how you can control them by clicking "Privacy Preferences".

Privacy Preferences I Agree

Privacy Preferences

When you visit any website, it may store or retrieve information through your browser, usually in the form of cookies. Since we respect your right to privacy, you can choose not to permit data collection from certain types of services. However, not allowing these services may impact your experience.