1. Overview

ISMS.1 Security Management

1. Description
1.1. Introduction
The planning, management, and monitoring role that is essential to setting up and
continuously implementing a well thought-out and effective process for maintaining
information security is referred to as (information) security management. A properly
functioning security management process must be embedded into the existing management
structures of every organisation. For this reason, it is practically impossible to specify an
organisational structure for security management that is directly applicable to every
organisation. Instead, such structures often need to be adapted to the specific conditions of the
organisation at hand.
1.2. Objective
The objective of this module is to illustrate how a functioning information security
management system (ISMS) can be established and developed further during live operations.
To accomplish this, the module describes a systematic security process and provides
instructions for creating a security concept.
1.3. Scoping and Modelling
Module ISMS.1 Security Management must be applied once to the entire information domain
under consideration.
The module is based on the BSI Standards 200-1, “Information Security Management Systems
(ISMS)”, and 200-2, “IT-Grundschutz Methodology”. It summarises the most important aspects
of security management.
Security audits should be carried out in organisations on a regular basis. Detailed requirements
for this are not covered in this module; they can be found in module DER 3.1 Audits and
Revisions. The security risk awareness of all an organisation's employees and other relevant
persons (such as external employees or project members) should be raised in a suitable and
systematic manner for each target group. These individuals should also be trained in aspects of information security. Detailed requirements for this can be found in ORP.3 Awareness and
Training in Information Security.
This module does not deal with specific aspects of human resources or organisation. These
requirements are dealt with in the modules ORP.2 Personnel and ORP.1 Organisation.
4. Additional Information
4.1. Useful Resources
The BSI Standard 200-1 defines general requirements of an information security management
system (ISMS). It is also compatible with the ISO 27001 standard and includes the
recommendations of many other ISO standards.
BSI Standard 200-2 forms the basis of the proven BSI methodology for the development of a
sound information security management system (ISMS). It establishes three new approaches
to the implementation of IT-Grundschutz. Since standards 200-1 and 200-2 have a similar
structure, users can easily navigate within both documents.
ISO/IEC 27000 ("Information Security Management Systems — Overview and Vocabulary")
provides an overview of information security management systems (ISMS) and the
connections among the various standards of the ISO/IEC 2700x family. Furthermore, the
standard includes the basic terms and definitions pertaining to an ISMS.
The ISO/IEC 27001 standard ("Information Security Management Systems – Requirements) is
an international standard on information security management for which certification can
also be obtained.
ISO/IEC 27002 ("Code of Practice for Information Security Controls") supports the selection
and implementation of the safeguards described in ISO/IEC 27001 in order to establish a
working security management system and embed it in an organisation.

Summary	Standard
ISMS.1.A1 Acceptance of Overall Responsibility for Information Security by Top Management [Top Management] (B)	An organisation's Top Management MUST take overall responsibility for information security in the organisation. This MUST be clear to everyone involved. The Top Management MUST initiate, control, and monitor the security process. The Top Management MUST set a good example regarding information security. The Top Management MUST define the responsibilities for information security. The responsible employees MUST be equipped with the necessary skills and resources. The Top Management MUST be regularly informed about the organisation's information security status. In particular, the Top Management MUST be informed about possible risks and consequences due to a lack of security safeguards.
ISMS.1.A2 Defining Security Objectives and Strategy [Top Management] (B)	An organisation's Top Management MUST initiate and establish the security process. For this purpose, the Top Management MUST define and document appropriate security objectives and an information security strategy. Conceptual specifications MUST be developed and organisational framework conditions established to enable the proper and secure handling of information within all the organisation's business processes or specialised tasks. The Top Management MUST support and take responsibility for its organisation's security strategy and security objectives. The Top Management MUST regularly review these security objectives and the security strategy to ensure that they are still relevant and appropriate and can be implemented effectively.
ISMS.1.A3 Drawing Up an Information Security Policy [Top Management] (B)	An organisation's Top Management MUST adopt an overarching information security policy. This MUST describe the value of information security, the organisation's security objectives, the most important elements of the security strategy, and the organisational structure for information security. The scope of the security policy MUST be clearly defined. The policy for information security MUST explain the security objectives and how they relate to the business objectives and tasks of the organisation. The Top Management MUST communicate the information security policy to all staff and other members of the organisation. The information security policy SHOULD be updated regularly.
ISMS.1.A4 Appointment of a Chief Information Security Officer [Top Management] (B)	An organisation's Top Management MUST appoint a Chief Information Security Officer (CISO). The CISO MUST promote information security in the organisation and help steer and coordinate the security process. The Top Management MUST provide the CISO with adequate resources. The Top Management MUST allow the CISO to report directly to it when required. The CISO MUST be involved at an early stage in all larger projects and in the introduction of new applications and IT systems.
ISMS.1.A5 Contract Design When Appointing an External Chief Information Security Officer [Top Management] (B)	An organisation's Top Management MUST appoint an external Chief Information Security Officer (CISO) if the role of CISO cannot be filled by an internal employee. The contract with the external CISO MUST include all the tasks of the CISO and their related rights and obligations. The contract MUST include an appropriate confidentiality agreement. The contract MUST ensure that the corresponding relationship is terminated in an orderly fashion, including with regard to the handover of tasks back to the organisation in question.
ISMS.1.A6 Establishment of a Suitable Organisational Structure for Information Security [Top Management] (B)	An organisation MUST have a suitable higher-level organisational structure for information security. For this purpose, roles MUST be defined that will take on specific tasks to achieve the security objectives at hand. Qualified persons MUST also be appointed with sufficient resources to take on these roles. The tasks, roles, responsibilities, and competencies in security management MUST be defined and assigned in a transparent manner. Effective deputising rules MUST be in place for all the important functions within an information security organisation. Communication channels MUST be planned, described, set up, and publicised. For all tasks and roles, it MUST be specified who will inform whom, who must be informed of which actions, and what information is to be provided. It MUST be checked at regular intervals whether the organisational structure for information security is still adequate or needs to be adapted to new framework conditions.
ISMS.1.A7 Definition of Security Safeguards (B)	As part of the security process, detailed and adequate security safeguards MUST be defined for all aspects of information processing. All security safeguards SHOULD be documented systematically in security concepts. These security safeguards SHOULD be updated at regular intervals.
ISMS.1.A8 Integration of Employees into the Security Process [Supervisor] (B)	All of an organisation's employees MUST be integrated into its security process. For this purpose, they MUST be informed about the background and the hazards relevant to them. They MUST know and implement security safeguards that affect their workplace. All employees MUST be enabled to make active contributions to security. Employees SHOULD therefore be involved at an early stage in planning security safeguards or devising organisational regulations. When introducing security policies and security tools, employees MUST be adequately informed about how these should be used. Employees MUST be made aware of the consequences of breaching security rules.
ISMS.1.A9 Integrating Information Security into Organisation-Wide Procedures and Processes [Top Management] (B)	Information security MUST be integrated into all business processes and specialised tasks. In so doing, it MUST be ensured that all necessary security aspects are not only taken into account in new processes and projects, but also in ongoing activities. The Chief Information Security Officer MUST be adequately involved in making security-relevant decisions. Moreover, information security SHOULD be coordinated with other areas of an organisation that deal with security and risk management.
ISMS.1.A10 Drawing Up a Security Concept (S)	For the specified scope (the information domain), an adequate security concept SHOULD be drawn up as the central document in the security process. It SHOULD also be decided whether the security concept can also consist of several sub-concepts that are drawn up successively to establish the required level of security in selected areas first. In the security concept, specific security safeguards appropriate for the information domain under consideration MUST be derived from the security objectives of the organisation in question, the protection needs identified, and the risk evaluation conducted. The security process and the security concept MUST take the individually applicable regulations and provisions into account. The safeguards provided in the security concept MUST be implemented promptly in practice. Their implementation MUST be planned and monitored.
ISMS.1.A11 Continuity of Information Security (S)	An organisation SHOULD review its security process, security concepts, information security policy, and organisational structure for information security in terms of their appropriateness and effectiveness and update them at regular intervals. Completeness and update checks of the security concept SHOULD also be performed regularly in this regard. Security audits SHOULD be performed regularly. In this regard, there SHOULD be rules that specify which areas and security safeguards need to be checked when and by whom. The level of security SHOULD be reviewed regularly (at least once a year) and whenever there is a reason to do so. These reviews SHOULD be performed by qualified and independent persons. The results of the reviews SHOULD be documented in a transparent manner. Based on this, shortcomings SHOULD be eliminated and corrective measures taken.
ISMS.1.A12 Management Reports on Information Security [Top Management] (S)	An organisation's Top Management SHOULD be regularly informed about the status of information security—in particular, about the current threat landscape and the effectiveness and efficiency of its security process. In addition, management reports SHOULD be written that contain the most important information relevant to the security process, especially with regard to problems, successes, and potential improvements. The management reports SHOULD contain clearly prioritised proposals for action. The proposed actions SHOULD be accompanied by realistic estimates of the expected implementation effort. The management reports SHOULD be archived in an audit-compliant manner. Management decisions relating to required actions, the handling of residual risks, and changes to security-relevant processes SHOULD be documented. These management decisions SHOULD be archived in an audit-compliant manner.
ISMS.1.A13 Documentation of the Security Process (S)	The security process SHOULD be documented. Important decisions and the work results of the individual phases, such as the security concept, policies, or findings resulting from examinations of security incidents, SHOULD be documented adequately. A procedure SHOULD be defined for the creation and archiving of documentation within the framework of the security process. Rules SHOULD be in place to ensure that documentation is kept up to date and confidential. The respective current versions of existing documents SHOULD be available on short notice. Furthermore, all previous versions SHOULD be archived centrally.
ISMS.1.A15 Cost-Effective Use of Resources for Information Security (S)	An organisation's security strategy SHOULD take economic aspects into account. If security safeguards are defined, the resources required for them SHOULD be quantified. The resources planned for information security SHOULD be provided on time. Additional internal employees or external experts SHOULD be called in for workload peaks or special tasks.
ISMS.1.A16 Creating Target-Group-Orientated Security Policies (H)	In addition to general security policies, there SHOULD be target-group-oriented security policies that cover the relevant security topics as needed.
ISMS.1.A17 Taking Out Insurance (H)	It SHOULD be examined whether insurance can be taken out against residual risks. An organisation's existing insurance policies SHOULD be checked regularly to ensure they are still appropriate for the current situation.

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

Linked Issues

Issuelinks
Linktype	Issue
includes	ISMS.1.G1. Lack of Personal Responsibility in the Security Process
includes	ISMS.1.G2. Lack of Support from Top Management
includes	ISMS.1.G3. Inadequate Strategic and Conceptual Specifications
includes	ISMS.1.G4. Inadequate or Misdirected Investments
includes	ISMS.1.G5. Inadequate Enforcement of Security Safeguards
includes	ISMS.1.G6. Failure to Update the Security Process
includes	ISMS.1.G7. Violation of Statutory Regulations and Contractual Agreements
includes	ISMS.1.G8. Business Process Disruptions due to Security Incidents
includes	ISMS.1.G9. Uneconomical Use of Resources due to Inadequate Security Management

ITGC -
Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022