Information Security Management Systems (ISMS)

An Information Security Management System (ISMS) defines methods to ensure information security in an organisation.

Information Security Management System (ISMS)

The most important things in a nutshell

  • An Information Security Management System (ISMS) describes policies, procedures and responsibilities with the goal of ensuring information security in an organization.
  • The increasing importance of data and equally increasing regulatory pressure in companies not least due to data-driven business models makes a holistic protection of data inevitable
  • Drivers for implementation are customer requirements (TISAX®) or regulatory requirements for data protection.
  • The management of the company is responsible for the protection of data. Often, the responsibility is delegated to an (IT) security officer.
  • An ISMS does not replace a DSM, but provides a very good basis for it.
  • When implementing an Information Security Management System, it is recommended to follow international standards such as ISO/IEC 27001.
Serie Informationssicherheit

What is an information security management system?

An Information Security Management System (ISMS, engl. Information Security Management System) describes guidelines, procedures and responsibilities with the aim of permanently ensuring, controlling and continuously optimizing information security in a company.

An ISMS typically addresses the behavior and procedures of employees as well as With data and technologies. It may be focused on a specific type of data focused, such as customer data.

An ISMS can be set up in accordance with the ISO 27001 standard, for example. This does not prescribe any specific measures but contains goals as well as suggestions for documentation, internal audits, continuous improvement and other improvement and other topics. Admittedly, the supporting standard ISO/IEC 27002 or also the VDA/ISA question catalog for TISAX very well contain concrete measures for implementing the goals.

How does an ISMS work?

A functioning information security management system must accommodate ever-changing requirements. This follows from the simple observation that it is not enough to determine once what corporate assets are worth protecting and establish guidelines, processes and procedures to protect them. A well-known method for continuous improvement is the PDCA cycle (also called the Deming cycle), which is familiar from ISO 9001 quality management.)

Applied to information security, this results in a “wheel” that is in constant forward motion, reaching an ever-higher level of maturity over time through the continuous improvements that take place.

Planning (PLAN)

  • Planning of a new ISMS or planning of adaptations of an existing ISMS.
  • Coordination on the objectives, resources and the time window.
  • Definition & update of
  • Information Security Policy.
  • Risk identification & risk analysis (e.g. how do I assess the damage to the company if customer data becomes publicly available after a ransomware incident).
  • Action selection (how do I want to deal with the risks identified as problematic).
  • What residual risks remain after the selection of measures

Implementation (DO) – ongoing ISMS operation

  • Implement the measures designed during the PLAN phase.
  • Awareness measures for the employees
  • Detect and handle security-related events (incident detection & incident response).

Check (CHECK)

  • Evaluate the ISMS through reports, audits, etc.
  • Through moderate testing, quality statements about the economic added value, the strengths and weaknesses of the ISMS can be recorded.

Maintain and Improve (ACT)

  • Implementing “lessons learned” continuously improves the information security management system.
  • Check whether the specified measures have also achieved the intended objectives.

Components of an ISMS

Minimum components of a fundamentally effective ISMS should be defined responsibilities for information security, a security guideline approved by management with an implementation and improvement process. The security guideline (also known as security policy) defines basic requirements for information security from the perspective of the company or organization.

Depending on the desired design, the ISMS can also be based on well-known standards such as the ISO/IEC 27001 series of standards, VDA/ISA (TISAX®) or ISIS12 . In such cases, however, an ISMS is then also often more comprehensive.

Do you need an ISMS?

Let’s talk about it today!

Who is responsible for information security?

Information security management is the responsibility of senior management. After approving an information security policy, specific implementation is usually delegated to employees such as IT security officers and data protection officers.

An important success factor when implementing an ISMS is the support of the company’s management.

Obviously, “information security” cannot be introduced single-handedly by the IT department either. the selection and implementation of appropriate information security measures is always teamwork. This can only succeed through collaboration between business departments, IT and those responsible for IT security.

Why is an information security management system important?

Nowadays, companies not only store and process information about products and developments, but often also a large amount of data about their own customers. This includes behavioral analysis, personal information, credit card and payment data, information about health and much more.

The increasing collection of corporate data in recent years, as well as the growing threat of cyberattacks and data breaches, have led to significant advancements in the area of corporate information security management. Not entirely uninvolved are also the current requirements for data protection (DSGVO, EU-GDPR) with a considerable range of penalties.

What are the benefits of an information security management system?

A holistic, preventive approach to ensuring information security offers several benefits to businesses and organizations:

Company-wide protection of sensitive information

. An ISMS ensures that own information assets as well as data of customers or third parties, are adequately protected against all threats.

Higher stability of business processes

. By making information security an integral part of business processes through an ISMS, organizations can minimize their information security risks. This prevents security incidents from causing disruptions.

Meeting customer compliance requirements

. Quite extensive compliance requirements now apply in many sectors, whether in finance, critical infrastructures (KRITIS) or even the automotive industry with TISAX® / VDA-ISA. Non-compliance with legal and contractual regulations can result in penalties or even the exclusion from expiring contract awards. With an ISMS, companies ensure that they comply with all regulatory and contractual requirements, giving them greater operational and legal certainty at the same time.

Improved efficiency and cost reduction

. With centralized coordination and a risk-based action plan, an ISMS can help prioritize scarce human and financial resources. After an initial cost overrun, costs can be reduced in the long run.

What is ISMS certification (BSI IT-Grundschutz, ISO 27001, TISAX, KRITIS)?

By certifying their ISMS, companies can demonstrate secure handling of sensitive information to third parties. This contributes to a better external image and trust-building, which in turn means a competitive advantage.

The establishment of an ISMS is also required by regulatory requirements, such as Section 91 (2) of the German Stock Corporation Act (AktG), the IT Security Act, Basel II, MaRisk or the General Data Protection Regulation. In the case of critical infrastructures (KRITIS), the IT Security Act requires certification of facilities that are of high importance.

For this purpose, there are both industry-independent certifications such as ISO/IEC 27001, ISO/IEC 27001 based on IT-Grundschutz or KRITIS. As an example of an industry-dependent label, TISAX® for the automotive industry should be mentioned.

A certification of the ISMS according to ISO/IEC 27001, but also in an assessment for a TISAX® label, the ISMS is always audited. This involves an external audit to check whether the information security management system meets all the requirements necessary for the respective certification.

Example of an ISMS

The BSI has used a medium-sized, but fictitious, example company, the RECPLAST GmbH, reference documents for the introduction and operation of an ISMS based on the BSI standard IT-Grundschutz.

With an ISMS, do I still need a data protection management system?

While an ISMS fundamentally helps protect information, it does not necessarily also meet regulatory data protection requirements regarding the processing of personal data. Information security and data protection do attempt to achieve similar protection goals, yet an ISMS does not replace a data protection management system (DMS).

Ideally, however, a DSMS builds on an ISMS and extends it technically as well as organizationally in accordance with the data protection requirements (Art. 25 and 32 DSGVO). Close cooperation between information security officers and data protection officers is advantageous for this purpose. and data protection officers.

What are the key steps to implementing an information security management system?

The following steps should be followed for efficient and effective implementation of an ISMS:

Determine the scope

One of the first steps is to clarify what the ISMS should accomplish. To do this, management must define the framework, scopes, objectives and boundaries of the ISMS in a security guideline.

Identify the corporate assets worth protecting

What assets should be protected by the ISMS? These can be customer data, company data, source code, tangible assets such as computers, but also intangible assets such as employee qualifications, skills and experience. The focus is on important and business-critical values that are crucial to the success of the company.

Identifying and assessing risks

For each asset worth protecting, potential risks must be identified. For example, organizations should ask what the impact of the risk would be if confidentiality, integrity and availability were breached. Finally, this results in an assessment of which risks are still acceptable to the company based on the expected extent of damage and which must absolutely be reduced or eliminated.

Determining measures

Based on the preceding risk assessment, appropriate and realistic technical and organizational measures for risk reduction or risk avoidance must be selected and implemented.

Implementation of measures

The defined measures should now be translated into operational reality. If possible, the measures should be measurable, for example by defining KPIs (key performance indicators).

With the actions shown so far, preparations for ISMS operations are already very far advanced and can now be transferred to the ISMS control loop.

Verify effectiveness

The measures adopted and implemented must be continuously monitored and regularly checked for effectiveness.

Improve

If deficiencies are found in the implemented measures, or even new risks are identified – the ISMS process must be run through again.

In this way, the ISMS can be continuously adapted to changing conditions or requirements and information security in the company can be continuously improved.

What can companies look to for guidance when implementing an ISMS?

Greenfield or best-practice approach? Established standards such as the ISO 27000 family can be helpful when implementing the necessary security measures.

An ISMS developed according to these standards makes it possible to identify risks at an early stage and to minimize them by means of tailor-made countermeasures to minimize them. This enables companies to achieve the primary protection goals of confidentiality, availability and integrity of managed information. Afterwards, certification according to ISO 27001 or a TISAX®-label is relatively easy to achieve.

SMEs and small municipalities, can also be guided by the simplified standard ISIS12 when setting up an ISMS. This consists of a pragmatic twelve-step plan.

Why is an ISMS not a software product?

An information security management system is composed of responsibilities within the company or organization, as well as policies, standards and processes.

Of course, there are IT-based ISMS tools that simplify the daily work with the ISMS. Any search engine will unearth a myriad of solutions and tools. For example, tools for the software-supported execution of risk management processes or the management of internal corporate security policies.

Experience has shown that a set of good and proven templates for a new ISMS is very valuable and can greatly accelerate the implementation of an ISMS. Likewise, a software-supported approach to risk management is highly recommended to everyone. It is no longer easy to say in general terms whether further helpers are needed.

In any case, it is advisable to take a brief look at the tools currently available.

Nevertheless, an ISMS is a management system for information security – and this is, by its very nature, not software.

Frequently asked questions

An information security management system (ISMS) is a framework of policies, procedures and responsibilities with which an organization permanently manages, ensures and continuously improves information security. It protects the confidentiality, integrity and availability of data, usually based on standards such as ISO/IEC 27001.

The leading international standard for an ISMS is ISO/IEC 27001. It defines goals and requirements but does not prescribe specific measures. ISO/IEC 27002, the BSI IT-Grundschutz, the VDA/ISA catalogue (TISAX®) and ISIS12 provide concrete measures or simplified approaches in addition.

An ISMS works according to the PDCA cycle (Plan-Do-Check-Act, also called the Deming cycle): risks and measures are planned, implemented, reviewed and continuously improved. This allows the ISMS to adapt to new threats and reach an ever-higher level of maturity over time.

An ISMS is not mandatory for every company, but it is required by regulations such as the IT Security Act (for KRITIS operators), Section 91 (2) AktG, MaRisk, or customer requirements like TISAX®. In many industries it is effectively a precondition for winning contracts or proving compliance.

No. An ISMS protects information comprehensively but does not automatically meet the data protection requirements of the GDPR. Ideally, a data protection management system (DSMS) builds on an ISMS and extends it technically and organizationally in line with Art. 25 and 32 GDPR.

Responsibility for information security lies with senior management. Operational implementation is usually delegated to an IT security officer and the data protection officer. Effective information security only succeeds as teamwork between business departments, IT and those responsible for security.

Have we sparked your interest?

Just give us a call or write us a message!

You can reach us by phone or via our contact form. We look forward to hearing from you!

Your request

Data protection

Related content

CIS Controls - A Quick Overview of CIS Controls

CIS Controls – A Quick Overview of CIS Controls

The CIS Critical Security Controls (CIS Controls) are a prioritized list of protective measures to defend against the most common cyber attacks on IT systems.

What is Information Security?

What is Information Security?

Information security is intended to ensure the confidentiality, integrity and availability of information. The information can be available on IT systems or in non-digital form.

CVSS (Common Vulnerability Scoring System)

CVSS (Common Vulnerability Scoring System)

The CVSS Score provides a numerical representation (0.0 to 10.0) of the severity of a security vulnerability in IT. We explain how the Common Vulnerability Scoring System works, how CVSS should be…

NTLM Authentication

NTLM Authentication

In this article, we explain what NTLM authentication is, how it works, and how it can be exploited by attackers.

Top 10 Vulnerability Scanners for 2026

Top 10 Vulnerability Scanners for 2026

Vulnerability scanners are automated tools that organisations can use to monitor their networks, systems and applications for security weaknesses. Vulnerability scanning is a best practice in…

Need to Know Principle

Need to Know Principle

The need-to-know principle describes a security objective for confidential information. Access should only be granted to a user if the information is immediately needed to perform a task.

Endpoint Security

Endpoint Security

Endpoint security comprises technologies and measures that protect end devices such as laptops, servers, smartphones and IoT devices against cyber threats.

What is MITRE ATT&CK?

What is MITRE ATT&CK?

The MITRE ATT&CK Framework is a continuously updated knowledge base consisting of cyber attacker tactics and techniques across the attack lifecycle.

Proxy Server

Proxy Server

A proxy server works as an intermediary between two IT systems. Proxy servers offer different functionalities, improved security and optimised data protection depending on the application, need or…

Cybersecurity concept in 8 steps

Cybersecurity concept in 8 steps

A cybersecurity security concept refers to guidelines that are intended to ensure IT security in the company. It is about ensuring the availability, integrity and confidentiality of company data,…

Buffer Overflow

Buffer Overflow

A buffer overflow is a programming error that can be exploited by hackers to gain unauthorized access to IT systems. It is one of the best-known security vulnerabilities in software, yet it is…

Attack Vector and Attack Surface

Attack Vector and Attack Surface

An attack vector is a way for attackers to penetrate a network or IT system. Typical attack vectors include…

Authentication: Differences to authorisation

Authentication: Differences to authorisation

Authentication and authorization are two words used in IT-Security. They might sound similar but are completely different from each other. Authentication is used to authenticate someone’s identity…

What is data security? Standards & Technologies

What is data security? Standards & Technologies

Data security is an important topic for all companies and authorities. Learn more about threats, measures and the legal framework here.