Data Protection Academy » Data Protection Wiki » Information Security Management System

ISMS Definition: What is an Information Security Management System?

ISMS Definition: What is an Information Security Management System?

An information security management system (ISMS) defines rules and methods for ensuring, reviewing and improving information security. Information security officers use the ISMS to control technical and organisational IT security measures and regularly monitor the implementation of the planned measures in accordance with the requirements of the ISO/IEC 2700x series of standards.

In the following article, you will find all the information you need on the information security management system, the distinction from the data protection management system, tips on implementing the ISMS and an overview of important norms and standards.

Key information about information security management systems

  • The information security management system is also known as an "ISMS"
  • When implementing an ISMS, the Information Security Officer plays an important role
  • An ISMS is oriented towards standards and norms such as ISO 2700x family and specifications of the BSI
  • The control of an ISMS is a continuous task and corresponds to a mangement process that is based on the PDCA cycle.

Whitepaper Guide to Managing the Compliance Field of Information Security

Whitepaper Information Security

In the Guide to Managing the Compliance Field of Information Security, you will find:

  • Get information on the Compliance management and to the Information Security
  • Learn who is responsible for the information security of your company is responsible.
  • Learn which Norms and standards  are relevant for information security
  • Including step-by-step explanation the implementation of an information security management system

The Information Security Management System

The information security management system is the responsibility of the company's management. The implementation of IT security measures includes the definition and rollout of security policies by the management. The management is supported in the development by information security officers, IT security officers and data protection officers. The standards defined in the ISMS must be implemented and adhered to in all areas of the organisation.

Often, the data protection management system and the information security management system are set up at the same time, as there are overlaps in content between the two management systems. A modern approach to implementing an ISMS is by means of Software-as-a-Service (SaaS) solutions, which actively support the information security officer in coordinating and controlling activities.

The difference between ISMS and DSMS

Data protection and information security belong together, but they differ in one essential point: information security, in comparison to data protection, does not focus on personal data. Thus, an ISMS cannot replace a DSMS or vice versa. Ideally, DSMS and ISMS are based on each other and complement each other in accordance with the principles set out in the following sections. Art. 35 and the 32 DSGVO described data protection requirements.

An ISMS is not sufficient to meet the data protection requirements, so no legal aspects are clarified, but mainly technical aspects. In addition, compliance with data protection requirements for the secure processing of personal data cannot be implemented by an ISMS alone, as all data is treated in the same way.

The link between data protection and information security

Data protection pursues the goal of protecting personal data from misuse and guaranteeing the right to informational self-determination on the part of those affected. In contrast, information security aims to guarantee the security of data in company systems by means of suitable technical and organisational measures and to ensure the confidentiality, availability and integrity of data. Whether data have a personal reference or not is not important in information security, as all data to be protected are treated equally. In practice, there is often an overlap between data protection and information security.

External Information Security Officer

You are welcome to contact us as external Information Security Officer (ISB) order. We also offer individual consulting services as well as audits in the area of information security. We will be happy to provide you with a non-binding offer. You can find more information about our external information security officers on our website.

The advantages of an information security management system

Increasing information security

An information security management system ensures that information of the company, of customers or of third parties is adequately protected. This involves protecting data from loss through technical errors as well as theft.

Maintaining the capacity to act

An essential component of an ISMS is the consideration of corporate processes and business continuity management. Every information security management system contains a contingency plan, which provides concrete schedules and measures for specific information security risks and security incidents. By creating a contingency plan, damage can be minimised and operations can be resumed as quickly as possible after an incident.

Competitive advantages through cost reduction

The structured implementation of an ISMS improves the profitability of your organisation and reduces costs in the long term. By planning measures, those responsible can set priorities according to the likelihood of certain risks occurring. As a result, resources are used more efficiently and investments are made in a coordinated manner at important points. Furthermore, an information security management system is adaptable to the size and structure of organisations. The use of an ISMS is profitable for companies and authorities as well as for SMEs. Auditing according to ISO 2700x standards also has positive effects on the external image and ensures trust among customers and business partners.

Fewer security incidents due to informed employees

Through the introduction of an ISMS, employees are actively informed about the topic of information security. The processes to be defined require joint design and cooperation between management and employees. In this way, employees develop a sensitivity for information security issues.

The role of the information security officer in the ISMS

The appointment of an information security officer is essential when implementing an ISMS. This officer is integrated into all ISMS processes and is the point of contact for all questions regarding information security. The information security officer works closely with the IT managers. He is the first point of contact for all questions regarding information security. The information security officer is appointed by the management and reports directly to it.

Establish and control information security management system (ISMS)

Standards such as the ISO 2700 family and the BSI's IT-Grundschutz help to design an ISMS and pay attention to all necessary security measures. The aim is to identify potential threats at an early stage and to avoid or minimise damage with suitable countermeasures. Since threats change over time, the standards view information security as a continuously adaptable process. This is accordingly dependent on certain factors such as - changes in the processes within a company, changed legal framework conditions, new threats, but also new technologies. In order to continuously improve the ISMS, the application of the PDCA cycle is recommended.

Implement ISMS tools using the PDCA cycle 

The PDCA cycle is part of the ISO 27001 standard and consists of four phases that help to continuously improve the ISMS.  Ihe Act phase is followed by the Plan phase. All phases are run through one after the other and the whole cycle repeats itself continuously.  

  • P

    Plan: Planning

    In this part of the cycle, the security policy, objectives, processes and procedures relevant to risk management and information security improvement are defined.

  • D

    D: Implementation

    Following the plan phase, the measures decided upon in the plan phase are implemented.

  • C

    Check: Review

    The measures are assessed in this phase for their effectiveness, appropriateness and the quality of the process performance.

  • A

    Act: Acting

    Functioning, effective processes can now be established as the standard, while those processes that were ineffective need to be reacted to.

The implementation of an ISMS

When implementing an ISMS, planning, implementation and maintenance are divided into individual process steps. An information security manual is recommended to document all guidelines and measures. The implementation of an information security management system is a complex process and can be carried out by means of the following steps:

The first step was to determine what the ISMS should do, which values and information should be protected and which areas of protection your ISMS should cover. This includes identifying the areas of application, boundaries and interfaces. Analyse the processes of your organisation and also consider access by employees, customers or third parties.

In the second step, a risk analysis must be carried out for each asset worth protecting, in which the risks within the scope of application are identified and assessed. The assessment is carried out by means of legal requirements or compliance guidelines. The probabilities of occurrence, confidentiality, integrity and availability as well as the damage scenarios in the event of occurrence are also considered. As part of the risk analysis, record and document which processes, hazards and risks are relevant for your organisation. At the end of the risk analysis, you will have an overview of which risks are acceptable and for which risks the probability of occurrence must be reduced through suitable measures.

Based on the classification and prioritisation of the risks, you can define which measures are to be taken. In doing so, it is important to record not only new measures but also measures that have already been implemented.

For each risk you can now select measures from the catalogue of measures. Define the goal of each measure and how its implementation can reduce the probability of occurrence or the damage caused by the risk. At the same time, define the persons responsible and the deadlines for implementation.

The defined measures are regularly checked for effectiveness by the information security officer; internal audits are particularly recommended for this purpose. If deficiencies or new risks are identified as a result of the audit, the ISMS will be adapted to the changed requirements.

Necessary norms and standards

The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) have more than 20 standards relevant to information security, which are grouped under the number 2700x. They describe the sub-areas of information security management or IT security.

Standards provide good support for the decision-making process. The most important security requirements as well as the corresponding measures are listed in the ISO/IEC 27001 standard in conjunction with ISO7IEC 27002. Alternatively or as a supplement, the BSI's basic protection concept can be used. Due to the strictly prescribed procedures with extreme detailing, orientation on this is associated with a very high level of effort.

When selecting the right standard, it is advisable to compare possible standards. Consider the question of applicability for your organisation; standards differ in terms of the organisational requirements for know-how in the implementation of the standard, the effort required for the development of a safety concept and the possibility of adapting the procedure to the specific needs of the company.

ISO 27001

This standard is of particular interest for information security management systems. It specifies requirements for the implementation, maintenance and continuous improvement of a documented ISMS, as well as requirements for the assessment of security risks. Companies can obtain certification according to ISO 27001.

ISO 27005

This standard is titled "Risk Analysis Management" and focuses on the assessment and management of risks. In this standard

  • detailed guidance on risk analysis,
  • Precise description of the process for establishing an efficient risk analysis
  • a detailed description of the individual process steps

BSI Basic IT Protection Compendium

The IT-Grundschutzkompendium of the Federal Office for Information Security comprises a comprehensive collection of texts. These texts are called "IT-Grundschutz-Bausteine" (basic IT protection modules) and each deal with all security-relevant aspects of a specific topic, such as ISMS. The requirements contained therein are divided into basic, standard and requirements for increased protection needs. In this way, companies can decide specifically and individually for themselves which level of protection should be achieved.

The IT-Grundschutz catalogue of the German Federal Office for Information Security (BSI) presents concepts for IT security.s for the implementation of ISMS. Assistance for the introduction, implementation and maintenance of the offers the BSI standard 100-1which is adapted to the international standard ISO/IEC 27001.  

BSI Standard 100 vs. 200

The BSI's "100 series" deals with the establishment of an ISMS as well as risk management. In October 2017, the series was completely replaced by the BSI standards 200-1, 200-2 and 200-3.

  • BSI 200-1 - "Management Systems for Information Security" describes the general requirements for an ISMS and is compatible with ISO/IEC 27001.
  • BSI 200-2 - The "IT-Grundschutz-Methodik" forms the basis for IT-Grundschutz. It contains three proven procedures for the realisation of IT-Grundschutz.
  1. Basic assurance: consider the introduction of an ISMS
  2. Core protection: Description of how a small part of a larger IT network can be covered by an ISMS.
  3. Standard safeguarding: description of a complete safeguarding process
  • BSI 200-3 - "Risk Management" - Bundling of all risk-related work steps for the implementation of IT-Grundschutz. This includes the identification of elementary hazards, the risk classification and the handling of risks.

To the overview page of the BSI IT-Grundschutz Compendium

Industry-specific security standards (B3S) of the BSI

The industry-specific security standards are standards developed by operators or their associations that provide information about the requirements and the state of the art to be implemented. The industry standards created are reviewed and recognised by the BSI upon request. They serve as a guide for organisations in the same industry. Based on the implementation of the B3S, organisations can prove to the BSI that the industry standards on the state of the art have been implemented. After the implementation of the respective B3S has been verified by the BSI, organisations gain legal certainty.

To the BSI's B3S overview page (external link)

ISMS audit and ISO 27001 audit

Regular audits of your information security system contribute to the optimisation of your information security. By means of an ISMS audit, the current status of your information security management is analysed and documented by our TÜV / DEKRA certified consultants in your company. Open measures are recorded, prioritised and recorded in a concrete action plan. Find out about the benefits, process and costs with Robin Data.

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Data protection and data security while working from home

What do employers and employees need to be aware of? Concrete tips on data protection and advice on data security.

Data protection in the USA - part 3 of the delegation visit

Data protection in the USA: How are start-ups supported in the USA and which cybersecurity companies are there.

Data protection in the USA - part 2 of the delegation visit

Data protection in the USA: Find out what role the GDPR plays at Microsoft and Amazon.