Establishing an ISMS

INFODAS GmbH offers consulting services for the implementation of an ISMS (information security management system) per ISO 27001 native as well as per ISO 27001 based on BSI IT-Grundschutz. Irrespective of the chosen standard, such an ISMS is the subject of a certification according to ISO 27001. A company which wishes to be certified according to one of the two specifications of the standard must therefore have implemented and operated an ISMS. An ISMS helps to reduce costs through security incidents and thus also preserve the reputation of the company. In addition, an ISMS gives the company transparency regarding its security processes and shows optimization potentials. An ISMS also helps to secure itself legally by fulfilling legal and supervisory requirements. With the certification of the ISMS, these points are reaffirmed and information security is demonstrable to the outside, which increases trust in the company.

The ISO 27001 is the internationally standardized standard for information security while the BSI IT-Grundschutz is the nationally oriented counterpart of the Federal Office for Information Security (BSI).

Before the implementation of an ISMS, the company must therefore choose one of the two specifications of the standard ISO 27001. Furthermore, the current level of fulfilment of the requirements of the selected standard in the company should be measured. It is recommended to perform a gap analysis.

Once the preliminary work has been completed, an ISMS introduction project can be started.

Establishing an ISMS per ISO 27001 native

Establishing an ISMS per ISO 27001 native


The following steps are part of the project program for implementing an ISMS conforming to ISO 27001 native:

  1. Set the context of the organization and the scope of the ISMS
    In this first step of an implementation project, the context of the company is elaborated and based on which the scope for the ISMS is determined. In addition, a framework for the documentation of the ISMS is established and the basic documents (for example IS guideline) are created.
  2. Identify sensitive information and assets
    The second work package deals with the inventory of the company’s sensitive information.
  3. Performing a risk analysis
    With the help of the specific information values a risk analysis is carried out in the third step of the project. The aim is to identify the relevant risks to treat them with the ISMS in a sustainable manner.
  4. Identify and establish measures for risk management
    A risk management plan is being created. This contains the identified risks and the controls from Annex A of ISO 27001 native, which have been defined for the treatment of the identified risks. In addition, resources and a time-target for the risk management are defined here.
  5. Measure, control, and improve ISMS
    The final work package of the implementation project is to transfer the ISMS to the regular operation. This means that the effectiveness of the ISMS is checked and, if necessary, corrections are made. In addition, the previously implemented requirements of the standard are checked for completeness and up-to-dateness in internal audits. The procedure portrayed is described by the standard as a continuous improvement process.

Establishing an ISMS per BSI IT-Grundschutz

Establishing an ISMS per BSI IT-Grundschutz

Although an ISMS is the subject of both ISO 27001 native and IT-Grundschutz, the two standards differ in the approach. The following work packages are available for a basic protection implementation project:

  1. Implementation of the ISMS Basis
    The organizational framework for the ISMS is created. This means that the framework conditions, e.g. legal requirements for the ISMS are identified and strategic ISMS reference documents, such as the Guideline for Information Security and the Risk Analysis Directive are established. An IT Security Officer and, if necessary, an IS Team are established.
  2. Drafting the IT Security Concept
    Based on the work package described above (the guideline for information security and the risk analysis directive) an IT security concept shall be drawn up in accordance with the process set out in the Figure 1 – Process IT-Grundschutz.
    The most important steps in this work package are the basic security check and the subsequent risk analysis. The controls from the BSI IT-Grundschutz are checked for their level of compliance with the basic security check (BSC). The deficit controls identified result in a risk analysis, where the individual risks are assessed explicitly, how strongly their influence on the company is and how these are treated. The results of this work package are inter alia the basis for the realization of technical and organizational measures.
  3. Drafting the necessary concepts
    The approach to IT-Grundschutz requires various concepts and guidelines, which are explicitly or implicitly required in the BSI IT-Grundschutz Catalogues. Depending on the situation, these are to be completed, adapted or re-created. This mainly concerns documents such as the IT emergency concept as well as various guidelines and manuals.
  4. Implement the deficit controls identified
    The deficit controls (e.g. controls from the IT-Grundschutz Catalogues, which are only partially or not implemented), which have been determined within the framework of the basic security check as well as the risk analysis, must be implemented in this work package if they were not considered as tolerable in the risk analysis. The implementation of the deficit controls identified is a prerequisite for entry into the auditing and certification process.
  5. Auditing and Certification
    This step is optional. After the ISMS has been successfully established, the certification process can be started. An audit can only be carried out by an independent and certified ISO 27001 auditor based on IT-Grundschutz, which must be assigned separately from the company.

Depending on the size of the company, the scope of the ISMS and the chosen standard, the scope of an ISMS and the associated administrative effort can quickly become complex. It is therefore recommended to use an ISMS tool for the implementation of an ISMS to ensure the greatest possible transparency. One option is SAVe, the official successor to GSTOOLS, which is suitable for both standards. More information on SAVe are presented here.

For all preparation and project steps for implementing an ISMS, INFODAS GmbH fully supports:

  • Perform a gap analysis and find the right standard for the ISMS
  • Consultancy on the ISMS implementation project and support in the correct view of the chosen ISO 27001 specification for the company
  • Provision of our long-term practical know-how for the implementation project
  • Joint elaboration of technical measures and the organizational ISMS framework, supplemented by the corresponding documentation
  • Establishment of a training and awareness program to raise awareness among employees conduct internal audits to assess the effectiveness of the ISMS and to ensure its continuous improvement

In addition, INFODAS GmbH also offers information workshops about ISMS.
Additional information can be provided upon request.