+Security Management
---+ISMS.1 Security Management
------+ISMS.1.G1. Lack of Personal Responsibility in the Security Process
------+ISMS.1.G2. Lack of Support from Top Management
------+ISMS.1.G3. Inadequate Strategic and Conceptual Specifications
------+ISMS.1.G4. Inadequate or Misdirected Investments
------+ISMS.1.G5. Inadequate Enforcement of Security Safeguards
------+ISMS.1.G6. Failure to Update the Security Process
------+ISMS.1.G7. Violation of Statutory Regulations and Contractual Agreements
------+ISMS.1.G8. Business Process Disruptions due to Security Incidents
------+ISMS.1.G9. Uneconomical Use of Resources due to Inadequate Security Management
------+ISMS.1.A1 Acceptance of Overall Responsibility for Information Security by Top Management [Top Management] (B)
------+ISMS.1.A2 Defining Security Objectives and Strategy [Top Management] (B)
------+ISMS.1.A3 Drawing Up an Information Security Policy [Top Management] (B)
------+ISMS.1.A4 Appointment of a Chief Information Security Officer [Top Management] (B)
------+ISMS.1.A5 Contract Design When Appointing an External Chief Information Security Officer [Top Management] (B)
------+ISMS.1.A6 Establishment of a Suitable Organisational Structure for Information Security [Top Management] (B)
------+ISMS.1.A7 Definition of Security Safeguards (B)
------+ISMS.1.A8 Integration of Employees into the Security Process [Supervisor] (B)
------+ISMS.1.A9 Integrating Information Security into Organisation-Wide Procedures and Processes [Top Management] (B)
------+ISMS.1.A10 Drawing Up a Security Concept (S)
------+ISMS.1.A11 Continuity of Information Security (S)
------+ISMS.1.A12 Management Reports on Information Security [Top Management] (S)
------+ISMS.1.A13 Documentation of the Security Process (S)
------+ISMS.1.A15 Cost-Effective Use of Resources for Information Security (S)
------+ISMS.1.A16 Creating Target-Group-Orientated Security Policies (H)
------+ISMS.1.A17 Taking Out Insurance (H)

1. Übersicht

Security Management

The ISMS layer includes the Security Management module as a basis for all further activities in the security process.
ISMS.1 Security Management 1. Description
1.1. Introduction
The planning, management, and monitoring role that is essential to setting up and
continuously implementing a well thought-out and effective process for maintaining
information security is referred to as (information) security management. A properly
functioning security management process must be embedded into the existing management
structures of every organisation. For this reason, it is practically impossible to specify an
organisational structure for security management that is directly applicable to every
organisation. Instead, such structures often need to be adapted to the specific conditions of the
organisation at hand.
1.2. Objective
The objective of this module is to illustrate how a functioning information security
management system (ISMS) can be established and developed further during live operations.
To accomplish this, the module describes a systematic security process and provides
instructions for creating a security concept.
1.3. Scoping and Modelling
Module ISMS.1 Security Management must be applied once to the entire information domain
under consideration.
The module is based on the BSI Standards 200-1, “Information Security Management Systems
(ISMS)”, and 200-2, “IT-Grundschutz Methodology”. It summarises the most important aspects
of security management.
Security audits should be carried out in organisations on a regular basis. Detailed requirements
for this are not covered in this module; they can be found in module DER 3.1 Audits and
Revisions. The security risk awareness of all an organisation's employees and other relevant
persons (such as external employees or project members) should be raised in a suitable and
systematic manner for each target group. These individuals should also be trained in aspects of information security. Detailed requirements for this can be found in ORP.3 Awareness and
Training in Information Security.
This module does not deal with specific aspects of human resources or organisation. These
requirements are dealt with in the modules ORP.2 Personnel and ORP.1 Organisation.
4. Additional Information
4.1. Useful Resources
The BSI Standard 200-1 defines general requirements of an information security management
system (ISMS). It is also compatible with the ISO 27001 standard and includes the
recommendations of many other ISO standards.
BSI Standard 200-2 forms the basis of the proven BSI methodology for the development of a
sound information security management system (ISMS). It establishes three new approaches
to the implementation of IT-Grundschutz. Since standards 200-1 and 200-2 have a similar
structure, users can easily navigate within both documents.
ISO/IEC 27000 ("Information Security Management Systems — Overview and Vocabulary")
provides an overview of information security management systems (ISMS) and the
connections among the various standards of the ISO/IEC 2700x family. Furthermore, the
standard includes the basic terms and definitions pertaining to an ISMS.
The ISO/IEC 27001 standard ("Information Security Management Systems – Requirements) is
an international standard on information security management for which certification can
also be obtained.
ISO/IEC 27002 ("Code of Practice for Information Security Controls") supports the selection
and implementation of the safeguards described in ISO/IEC 27001 in order to establish a
working security management system and embed it in an organisation.

1.1 Referenzen

1.2 Identifizierte Anforderungen

1.2 Related Regulation

2. Identifizierte Anforderungen

Anforderungen

3. Related Regulations

Regulations
Impressum