365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
So that you can make an onsite appointment, the appointment request will open in a new tab.
An ISMS is a helpful building block for IT security. How important are norms and standards in selecting the right one?
Even the term Information Security Management System (ISMS) sounds unwieldy. For some companies it is compulsory, many others would like to have one and still others shy away from it. Depending on industry and law, an organisation may even have to operate a certified ISMS.
Depending on the industry and the size a company may be obliged to operate an Information Security Management System (ISMS). But an ISMS is not a software product, although it can be supported by software. Rather, an ISMS defines rules and procedures that a company can use to improve and control information security. For this purpose, rules, methods and procedures are defined with the help of an ISMS.
Standards and norms, such as the German BSI-Grundschutz or the ISO/IEC 27000 series, play an important role here. The term itself is discussed in the standards ISO/IEC 27001 and ISO/IEC 27002. It quickly becomes clear that an ISMS is complex, and many companies feel overwhelmed by it. Even the choice of a suitable system is a major challenge for some. We asked experts how to proceed.
When introducing an ISMS, motivation and objective must be taken into account, recommends Michael Weirich, Project Manager IT Security at the Association of the Internet Economy, eco:
For the selection of a suitable information security management system, the motivation to introduce it is decisive. In advance, the company management must clarify which target is to be achieved with the ISMS and which areas or business processes are to be covered. The scope of application must be clearly defined in the conception phase. It must also be taken into account whether the company is introducing the ISMS due to legal obligations or whether business partners insists on certain certifications.
Furthermore, different standards or guidelines apply to different sectors, which must be observed, because they might influence the selection of a suitable information security management system. Once the objectives have been defined, you can determine the framework in which you want to operate - for example, CISIS12, the ISO2700x series, BSI-Grundschutz or TISSAX and select your ISMS based on the criteria you have defined.
Robert Couronné heads the cybersecurity thematic platform at the Bavarian Society for Innovation and Knowledge Transfer, Bayern Innovativ. He recommends less complex systems for smaller companies:
If a company wants to make cyber security sustainable, it can hardly avoid an ISMS. However, the fit of ISMS systems with regard to the requirements and available CS resources must be carefully examined. What the BSI defines in Grundschutz as basic protection far exceeds the possibilities of many companies. There are less complex ISMS approaches that also make sense for SMEs. For example, ISIS12, developed by the IT Security Cluster in Regensburg.
Sector-specific systems can be further differentiated and are often more complex. More and more, certification is also a requirement. An elaborate but only half-heartedly created and operated ISMS can be worse for real cyber security than a simple one where everyone is fully behind it. On the other hand, more and more companies are required to comply with cyber security standards, as is currently the case with the EU's Cybersecurity Act. Here, the ISMS must of course fulfill the requirements.
Marc Fliehe, Head of Digitalisation and Education at the TÜV Association, points to the ongoing revision of the important ISMS standard ISO/IEC 27001:
Decisive for the selection of the appropriate ISMS is the context in which the company operates. In some cases, there are industry or customer-specific requirements, for example TISAX for automotive suppliers, which have to be taken into consideration. Likewise, legal requirements may dictate a certain direction in which a company must move.
Fortunately, there are several standards on the market that can help build an ISMS and offer a methodical approach. Some standards are already very well established and are usually regularly adapted to current developments. Currently, the leading international standard for information security management systems, ISO/IEC 27001, is being revised. The responsible committees have reacted to current developments and feedback they received on the handling of the standard. The current version is about to be published soon.
There is no one-size-fits-all solution. Depending on the size of the company, the sector, the motivation and the objective, different approaches are used. Ultimately, an ISMS should help to better recognise threats to data and IT systems, to identify opportunities for improvement and to be able to take appropriate measures. Tools for the software-supported implementation of risk management processes or the administration of internal company security guidelines can be used to support this.
