Data Protection Academy » Data Protection Wiki » Information Security Management System

ISMS Definition: What is an Information Security Management System?

ISMS Definition: What is an Information Security Management System?

An information security management system (ISMS) defines rules and methods for ensuring, reviewing and improving information security. Information security officers use the ISMS to control technical and organisational IT security measures and regularly monitor the implementation of the planned measures in accordance with the requirements of the ISO/IEC 2700x series of standards.

In the following article, you will find all the information you need on the information security management system, the distinction from the data protection management system, tips on implementing the ISMS and an overview of important norms and standards.

Key information about information security management systems

  • The information security management system is also known as an "ISMS"
  • When implementing an ISMS, the Information Security Officer plays an important role
  • An ISMS is oriented towards standards and norms such as ISO 2700x family and specifications of the BSI
  • The control of an ISMS is a continuous task and corresponds to a mangement process that is based on the PDCA cycle.

Whitepaper Managing the compliance field of information security digitally

Whitepaper Information Security Management System

In the white paper Managing the compliance field of information security digitally you will find:

  • Information on the Compliance management and to the Information Security
  • Responsibilities and interfaces for Information security in the organisation
  • Norms and standards  for information security
  • You will find an step-by-step explanation for the implementation of an information security management system

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

The Information Security Management System

The information security management system is the responsibility of the company's management. The implementation of IT security measures includes the definition and rollout of security policies by the management. The management is supported in the development by information security officers, IT security officers and data protection officers. The standards defined in the ISMS must be implemented and adhered to in all areas of the organisation.

Often, the data protection management system and the information security management system are set up at the same time, as there are overlaps in content between the two management systems. A modern approach to implementing an ISMS is by means of Software-as-a-Service (SaaS) solutions, which actively support the information security officer in coordinating and controlling activities.

The difference between ISMS and DSMS

Data protection and information security belong together, but they differ in one essential point: information security, in comparison to data protection, does not focus on personal data. Thus, an ISMS cannot replace a DSMS or vice versa. Ideally, DSMS and ISMS are based on each other and complement each other in accordance with the principles set out in the following sections. Art. 35 and the 32 DSGVO described data protection requirements.

An ISMS is not sufficient to meet the data protection requirements, so no legal aspects are clarified, but mainly technical aspects. In addition, compliance with data protection requirements for the secure processing of personal data cannot be implemented by an ISMS alone, as all data is treated in the same way.

The link between data protection and information security

Data protection pursues the goal of protecting personal data from misuse and guaranteeing the right to informational self-determination on the part of those affected. In contrast, information security aims to guarantee the security of data in company systems by means of suitable technical and organisational measures and to ensure the confidentiality, availability and integrity of data. Whether data have a personal reference or not is not important in information security, as all data to be protected are treated equally. In practice, there is often an overlap between data protection and information security.

Order the experts of Robin Data as ISB

Designation of our external information security officers: vulnerability audit, definition and implementation of action plan, determination of protection needs. Reduce your liability risks!

The advantages of an information security management system

Increasing information security

An information security management system ensures that information of the company, of customers or of third parties is adequately protected. This involves protecting data from loss through technical errors as well as theft.

Maintaining the capacity to act

An essential component of an ISMS is the consideration of corporate processes and business continuity management. Every information security management system contains a contingency plan, which provides concrete schedules and measures for specific information security risks and security incidents. By creating a contingency plan, damage can be minimised and operations can be resumed as quickly as possible after an incident.

Competitive advantages through cost reduction

The structured implementation of an ISMS improves the profitability of your organisation and reduces costs in the long term. By planning measures, those responsible can set priorities according to the likelihood of certain risks occurring. As a result, resources are used more efficiently and investments are made in a coordinated manner at important points. Furthermore, an information security management system is adaptable to the size and structure of organisations. The use of an ISMS is profitable for companies and authorities as well as for SMEs. Auditing according to ISO 2700x standards also has positive effects on the external image and ensures trust among customers and business partners.

Fewer security incidents due to informed employees

Through the introduction of an ISMS, employees are actively informed about the topic of information security. The processes to be defined require joint design and cooperation between management and employees. In this way, employees develop a sensitivity for information security issues.

The role of the information security officer in the ISMS

The appointment of an information security officer is essential when implementing an ISMS. This officer is integrated into all ISMS processes and is the point of contact for all questions regarding information security. The information security officer works closely with the IT managers. He is the first point of contact for all questions regarding information security. The information security officer is appointed by the management and reports directly to it.

Establish and control information security management system (ISMS)

Standards such as the ISO 2700 family and the BSI's IT-Grundschutz help to design an ISMS and pay attention to all necessary security measures. The aim is to identify potential threats at an early stage and to avoid or minimise damage with suitable countermeasures. Since threats change over time, the standards view information security as a continuously adaptable process. This is accordingly dependent on certain factors such as - changes in the processes within a company, changed legal framework conditions, new threats, but also new technologies. In order to continuously improve the ISMS, the application of the PDCA cycle is recommended.

Implement ISMS tools using the PDCA cycle 

The PDCA cycle is part of the ISO 27001 standard and consists of four phases that help to continuously improve the ISMS.  Ihe Act phase is followed by the Plan phase. All phases are run through one after the other and the whole cycle repeats itself continuously.  

  • P

    Plan: Planning

    In this part of the cycle, the security policy, objectives, processes and procedures relevant to risk management and information security improvement are defined.

  • D

    D: Implementation

    Following the plan phase, the measures decided upon in the plan phase are implemented.

  • C

    Check: Review

    The measures are assessed in this phase for their effectiveness, appropriateness and the quality of the process performance.

  • A

    Act: Acting

    Functioning, effective processes can now be established as the standard, while those processes that were ineffective need to be reacted to.

The implementation of an ISMS

When implementing an ISMS, planning, implementation and maintenance are divided into individual process steps. An information security manual is recommended to document all guidelines and measures. The implementation of an information security management system is a complex process and can be carried out by means of the following steps:

The first step was to determine what the ISMS should do, which values and information should be protected and which areas of protection your ISMS should cover. This includes identifying the areas of application, boundaries and interfaces. Analyse the processes of your organisation and also consider access by employees, customers or third parties.

In the second step, a risk analysis must be carried out for each asset worth protecting, in which the risks within the scope of application are identified and assessed. The assessment is carried out by means of legal requirements or compliance guidelines. The probabilities of occurrence, confidentiality, integrity and availability as well as the damage scenarios in the event of occurrence are also considered. As part of the risk analysis, record and document which processes, hazards and risks are relevant for your organisation. At the end of the risk analysis, you will have an overview of which risks are acceptable and for which risks the probability of occurrence must be reduced through suitable measures.

Based on the classification and prioritisation of the risks, you can define which measures are to be taken. In doing so, it is important to record not only new measures but also measures that have already been implemented.

For each risk you can now select measures from the catalogue of measures. Define the goal of each measure and how its implementation can reduce the probability of occurrence or the damage caused by the risk. At the same time, define the persons responsible and the deadlines for implementation.

The defined measures are regularly checked for effectiveness by the information security officer; internal audits are particularly recommended for this purpose. If deficiencies or new risks are identified as a result of the audit, the ISMS will be adapted to the changed requirements.

Necessary norms and standards

The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) have more than 20 standards relevant to information security, which are grouped under the number 2700x. They describe the sub-areas of information security management or IT security.

Standards provide good support for the decision-making process. The most important security requirements as well as the corresponding measures are listed in the ISO/IEC 27001 standard in conjunction with ISO7IEC 27002. Alternatively or as a supplement, the BSI's basic protection concept can be used. Due to the strictly prescribed procedures with extreme detailing, orientation on this is associated with a very high level of effort.

When selecting the right standard, it is advisable to compare possible standards. Consider the question of applicability for your organisation; standards differ in terms of the organisational requirements for know-how in the implementation of the standard, the effort required for the development of a safety concept and the possibility of adapting the procedure to the specific needs of the company.

ISO 27001

This standard is of particular interest for information security management systems. It specifies requirements for the implementation, maintenance and continuous improvement of a documented ISMS, as well as requirements for the assessment of security risks. Companies can obtain certification according to ISO 27001.

ISO 27005

This standard is titled "Risk Analysis Management" and focuses on the assessment and management of risks. In this standard

  • detailed guidance on risk analysis,
  • Precise description of the process for establishing an efficient risk analysis
  • a detailed description of the individual process steps

BSI Basic IT Protection Compendium

The IT-Grundschutzkompendium of the Federal Office for Information Security comprises a comprehensive collection of texts. These texts are called "IT-Grundschutz-Bausteine" (basic IT protection modules) and each deal with all security-relevant aspects of a specific topic, such as ISMS. The requirements contained therein are divided into basic, standard and requirements for increased protection needs. In this way, companies can decide specifically and individually for themselves which level of protection should be achieved.

The IT-Grundschutz catalogue of the German Federal Office for Information Security (BSI) presents concepts for IT security.s for the implementation of ISMS. Assistance for the introduction, implementation and maintenance of the offers the BSI standard 100-1which is adapted to the international standard ISO/IEC 27001.  

BSI Standard 100 vs. 200

The BSI's "100 series" deals with the establishment of an ISMS as well as risk management. In October 2017, the series was completely replaced by the BSI standards 200-1, 200-2 and 200-3.

  • BSI 200-1 - "Management Systems for Information Security" describes the general requirements for an ISMS and is compatible with ISO/IEC 27001.
  • BSI 200-2 - The "IT-Grundschutz-Methodik" forms the basis for IT-Grundschutz. It contains three proven procedures for the realisation of IT-Grundschutz.
  1. Basic assurance: consider the introduction of an ISMS
  2. Core protection: Description of how a small part of a larger IT network can be covered by an ISMS.
  3. Standard safeguarding: description of a complete safeguarding process
  • BSI 200-3 - "Risk Management" - Bundling of all risk-related work steps for the implementation of IT-Grundschutz. This includes the identification of elementary hazards, the risk classification and the handling of risks.

To the overview page of the BSI IT-Grundschutz Compendium

Industry-specific security standards (B3S) of the BSI

The industry-specific security standards are standards developed by operators or their associations that provide information about the requirements and the state of the art to be implemented. The industry standards created are reviewed and recognised by the BSI upon request. They serve as a guide for organisations in the same industry. Based on the implementation of the B3S, organisations can prove to the BSI that the industry standards on the state of the art have been implemented. After the implementation of the respective B3S has been verified by the BSI, organisations gain legal certainty.

To the BSI's B3S overview page (external link)

ISMS software

ISMS software stands for "Information Security Management System Software". This software supports companies in implementing, monitoring and managing information security measures. It facilitates the documentation of policies, risk assessments, security measures and the protection of sensitive information. ISMS software can also facilitate compliance with security standards and regulations and improve security incident response. ISMS software automates and streamlines tasks to improve information security in organisations and ensure the protection of sensitive information.

The tasks of an ISMS software include:

  1. Documentation: Creation, storage and management of security policies, procedures and documentation.
  2. Risk assessment: Support in the identification, assessment and prioritisation of security risks.
  3. Action planning: Preparation of safety action plans to mitigate risks.
  4. Compliance management: Ensure compliance with safety standards and legal requirements.
  5. Monitoring and reporting: Continuously monitor safety metrics and produce reports.
  6. Incident Management: Support in responding to security incidents and data breaches.
  7. Audit management: Logging and monitoring of activities related to information security.
  8. Access control: Managing permissions and access to sensitive data and systems.
  9. Training and awareness raising: Provide training materials and safety awareness programmes for employees.
  10. Document management: Storage and management of safety-related documents and reports.
  11. Updating and adaptationSupport in the regular updating and adaptation of the ISMS.

Video on the implementation of an information security management system

Watch the video on implementing an information security management system:

Do you want to improve the security of sensitive information in your organisation while proactively addressing risks? An information security management system (ISMS) can help you protect your data and ensure compliance with applicable regulations.

In the recording of the one-hour Robin Data Hack on 16 April 2024, you will gain a comprehensive insight into the implementation and maintenance of an effective ISMS. Existing customers will also benefit from attending, as we will show what opportunities ComplianceOS offers and provide helpful tips and advice. The Robin Data Hacks take place online and participation is free of charge. Further information, dates and the opportunity to register.

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

Robin Data ComplianceOS® Field Information Security

With Robin Data ComplianceOS® you implement the requirements for ISMS digitally. Import standards such as ISO 27001 or BSI Grundschutz and implement their requirements step by step and with guidance. From the implementation of risk management to documentation, Robin Data always provides you with the right tool. In this way, you save valuable time and involve all stakeholders in the implementation of the information security management system in an uncomplicated way.


In summary, an ISMS (Information Security Management System) is crucial to ensure information security in organisations. It provides a structured method for identifying, assessing and managing security risks. ISMS software assists in documenting, managing and monitoring security measures, which facilitates compliance and ensures the protection of sensitive data. A well-implemented ISMS helps minimise security incidents and data breaches. It also promotes security awareness among employees through training and awareness programmes. Overall, an ISMS is an indispensable tool to ensure information security and minimise risks in the digital age.

Contact us

We will be happy to answer your questions or provide you with an individual offer.

Caroline Schwabe

This might interest you too:

IT security incident

TISAX requirements: Prepare certification step by step

TISAX® requirements: Information on the question catalogue, maturity levels and certification. Prepare the assessment level and audit.
IT security incident

What to do in the event of an IT security incident?

The most important facts about IT security incidents. Learn practical tips on recognising and dealing with IT emergencies in the article.

Protection of information and data

What is information security? Tasks of the information security officer and differentiation from data protection.