ISMS.1 Security Management
(Information) security management refers to the planning, control, and oversight tasks required to establish and continuously implement a well-conceived and effective process for achieving information security...
Description
Introduction
(Information) security management refers to the planning, control, and oversight tasks required to establish and continuously implement a well-conceived and effective process for achieving information security. A functioning security management system must be embedded into the existing management structures of each institution. It is therefore practically impossible to specify an organizational structure for security management that can be directly applied to every institution. Instead, adaptations to specific circumstances will frequently be required.
Objective
The objective of this building block is to show how a functioning information security management system (ISMS) can be established and further developed during ongoing operations. The building block describes steps in a systematic security process and provides guidance for creating a security concept.
Scope and Modeling
The building block ISMS.1 Security Management is to be applied once to the information domain.
The building block is based on BSI Standards 200-1 “Management Systems for Information Security” and 200-2 “IT-Grundschutz Methodology.” It summarizes the most important aspects of security management from both documents.
The institution SHOULD conduct regular security reviews. Detailed requirements for this are not found in this building block but in building block DER 3.1 Audits and Reviews. Furthermore, all employees of the institution as well as all relevant external parties SHOULD be systematically and appropriately sensitized to security risks and trained in information security matters. Detailed requirements for this are found in building block ORP.3 Sensitization and Training on Information Security on Information Security.
This building block likewise does not address specific aspects relating to personnel or the organizational domain. Such requirements are addressed in building blocks ORP.2 Personnel and ORP.1 Organization respectively.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block ISMS.1 Security Management.
Lack of Personal Responsibility in the Security Process
If roles and responsibilities in the security process are not clearly defined within an institution, it is likely that many employees will decline or forget their responsibility for information security by deferring to higher hierarchical levels. As a result, security measures are not implemented, since they almost always initially represent additional effort in routine workflows.
Insufficient Support from Top Management
If the security officers are not fully supported by Top Management, it can become difficult to enforce the necessary measures. This is especially true for persons who are hierarchically above the security officers. In such cases, the security process cannot be fully carried out.
Inadequate Strategic and Conceptual Requirements
In many institutions, a security concept is created but its contents are often known to only a few people within the institution. This leads to requirements being deliberately or inadvertently disregarded at locations where organizational effort would be required.
Even when the security concept contains strategic objectives, Top Management often regards these merely as a collection of statements of intent. Frequently, insufficient resources are then made available for implementation. It is also often mistakenly assumed that security is automatically achieved in an automated environment.
Without strategic requirements, incidents are frequently handled in an unstructured manner. At best, only partial aspects can then be improved.
Inadequate or Misdirected Investments
If Top Management is not sufficiently informed about the security status of all business processes, IT systems, and applications, as well as about existing deficiencies, insufficient resources will be allocated to the security process or those resources will not be used appropriately. In the latter case, this can result in an excessively high security level in one area being contrasted with serious deficiencies in another.
It is also frequently observed that expensive technical security solutions are incorrectly deployed and are therefore either ineffective or themselves become sources of risk.
Insufficient Enforceability of Security Measures
To achieve a consistent and appropriate security level, different areas of responsibility within an institution must cooperate with each other. However, missing strategic policy statements and unclear objectives sometimes lead to different interpretations of the significance of information security. This can result in the necessary cooperation failing to materialize—for example, because the task of “information security” is regarded as unnecessary or at least not a priority. As a result, security measures may not be implemented.
Lack of Updates in the Security Process
New business processes, applications, and IT systems, as well as new threats, permanently influence the status of information security within an institution. If there is no effective review concept that also strengthens awareness of new threats, the security level decreases. Real security then gradually becomes dangerous pseudo-security.
Violation of Legal Requirements and Contractual Agreements
If the information, business processes, and IT systems of an institution are insufficiently protected—for example, due to inadequate security management—legal provisions relating to information processing or existing contracts with business partners may be violated. Which laws must be observed depends on the type of institution and its business processes and services.
Depending on where an institution’s sites are located, various national and international regulations may also need to be observed. If an institution has insufficient knowledge of international legal requirements—e.g., regarding data protection, disclosure obligations, insolvency law, liability, or third-party access to information—this increases the risk of corresponding violations. Legal consequences then threaten.
In many sectors, it is common practice for clients to require their suppliers and service providers to comply with certain quality and security standards. If a contractual partner violates contractually stipulated security requirements, this can result in contractual penalties, contract termination, or even the loss of business relationships.
Disruption of Business Operations Due to Security Incidents
Security incidents can be triggered by a single event or by a chain of unfortunate circumstances. They can lead to impairment of the confidentiality, integrity, or availability of information and IT systems. This quickly has a negative impact on essential professional tasks and business processes of the affected institution. Even if not all security incidents become publicly known, they can still lead to negative effects in relationships with business partners and customers. Legal requirements could also be disregarded. It is not the case that the most severe and far-reaching security incidents are caused by the largest security vulnerabilities. In many cases, a chain of small causes leads to major damage.
Uneconomical Use of Resources Due to Inadequate Security Management
Inadequate security management can lead to incorrect priorities being set and investment not being made in the areas that deliver the greatest added value for the institution. This can lead to the following errors:
- Investment is made in expensive security solutions without a foundation of necessary organizational rules being in place. Unresolved responsibilities and accountabilities can lead to serious security incidents despite expensive investments.
- Investment in information security is made in areas of the institution that are particularly sensitized to information security. Other areas, which may be more important for fulfilling professional tasks and achieving business objectives, are neglected due to limited resources or the disinterest of those responsible. Investment is then made in partial areas in an unbalanced manner, while security risks that are especially significant for the overall system remain unaddressed.
- One-sided enhancement of the protection of individual fundamental values can even reduce overall protection—for example, encrypting information may increase confidentiality but can reduce availability.
- An inhomogeneous and uncoordinated deployment of security products can lead to high financial and personnel resource expenditure.
Requirements
The following are the specific requirements of building block ISMS.1 Security Management. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. They SHOULD be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | Information Security Officer (ISO) |
| Additional responsibilities | Supervisors, Top Management |
Exactly one role SHOULD be Primarily responsible. There may also be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled with priority for this building block.
ISMS.1.A1 Assumption of Overall Responsibility for Information Security by Management (B) [Top Management]
Top Management MUST assume overall responsibility for information security in the institution. This MUST be clearly recognizable to all parties involved. Top Management MUST initiate, control, and monitor the security process. Top Management MUST lead by example in information security.
Top Management MUST define the responsibilities for information security. The responsible employees MUST be equipped with the required competencies and resources.
Top Management MUST regularly be informed about the status of information security. In particular, Top Management MUST be informed about possible risks and consequences arising from missing security measures.
ISMS.1.A2 Definition of Security Objectives and Strategy (B) [Top Management]
Top Management MUST initiate and establish the security process. To this end, Top Management MUST define and document appropriate security objectives and a strategy for information security. Conceptual requirements MUST be developed and organizational framework conditions MUST be created to enable the orderly and secure handling of information within all business processes of the company or professional tasks of the authority.
Top Management MUST support and be responsible for the security strategy and the security objectives. Top Management MUST regularly review the security objectives and the security strategy to determine whether they are still current and appropriate and can be effectively implemented.
ISMS.1.A3 Creation of an Information Security Policy (B) [Top Management]
Top Management MUST adopt a high-level information security policy. This MUST describe the importance of information security, the security objectives, the most important aspects of the security strategy, and the organizational structure for information security. A clear scope MUST be defined for the security policy. The information security policy MUST explain the security objectives and the relationship of the security objectives to the business objectives and tasks of the institution.
Top Management MUST make the information security policy known to all employees and other members of the institution. The information security policy SHOULD be updated regularly.
ISMS.1.A4 Appointment of an Information Security Officer (B) [Top Management]
Top Management MUST appoint an ISO. The ISO MUST promote information security in the institution and help control and coordinate the security process.
Top Management MUST equip the ISO with adequate resources. Top Management MUST give the ISO the opportunity to report directly to Top Management itself if necessary.
The ISO MUST be involved at an early stage in all major projects and in the introduction of new applications and IT systems.
ISMS.1.A5 Contract Design When Appointing an External Information Security Officer (B) [Top Management]
Top Management MUST appoint an external ISO if the ISO role cannot be filled by an internal employee. The contract with an external ISO MUST cover all tasks of the ISO and the associated rights and obligations. The contract MUST include an appropriate confidentiality agreement. The contract MUST ensure a controlled termination of the contractual relationship, including the handover of tasks to the contracting parties.
ISMS.1.A6 Establishment of an Appropriate Organizational Structure for Information Security (B) [Top Management]
An appropriate overarching organizational structure for information security MUST be in place. To this end, roles MUST be defined that take on specific tasks to achieve the security objectives. In addition, qualified persons MUST be named who have sufficient resources to take on these roles. Tasks, roles, responsibilities, and competencies in security management MUST be defined and assigned in a comprehensible manner. For all important functions of the information security organization, effective substitution arrangements MUST be in place.
Communication channels MUST be planned, described, established, and made known. It MUST be established for all tasks and roles who informs whom and who must be informed about which actions and to what extent.
It MUST be regularly checked whether the organizational structure for information security is still appropriate or whether it needs to be adapted to new framework conditions.
ISMS.1.A7 Definition of Security Measures (B)
Within the security process, comprehensive and appropriate security measures MUST be defined for all information processing. All security measures SHOULD be systematically documented in security concepts. The security measures SHOULD be updated regularly.
ISMS.1.A8 Integration of Employees into the Security Process (B) [Supervisors]
All employees MUST be integrated into the security process. To this end, they MUST be informed about the backgrounds and threats relevant to them. They MUST know and implement the security measures that apply to their workplace.
All employees MUST be enabled to actively contribute to security. Therefore, employees SHOULD be involved at an early stage when security measures are to be planned or organizational rules are to be designed.
When introducing security policies and security tools, employees MUST be sufficiently informed about how these are to be applied.
Employees MUST be informed about the consequences that a violation of the security requirements can have.
ISMS.1.A9 Integration of Information Security into Organization-Wide Processes and Procedures (B) [Top Management]
Information security MUST be integrated into all business processes and professional tasks. It MUST be ensured that all required security aspects are taken into account not only for new processes and projects but also for ongoing activities. The Information Security Officer (ISO) MUST be sufficiently involved in security-relevant decisions.
Information security SHOULD also be coordinated with other areas in the institution that deal with security and risk management.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be fulfilled.
ISMS.1.A10 Creation of a Security Concept (S)
For the defined scope (information domain), an appropriate security concept SHOULD be created as the central document in the security process. A decision SHOULD be made as to whether the security concept is to consist of one or several partial concepts that are created successively in order to first establish the required security level in selected areas.
In the security concept, concrete security measures appropriate to the information domain under consideration MUST be derived from the institution’s security objectives, the identified protection requirements, and the risk assessment. The security process and security concept MUST take into account the individually applicable regulations and rules.
The measures provided for in the security concept MUST be implemented in a timely manner. This MUST be planned and implementation MUST be monitored.
ISMS.1.A11 Maintenance of Information Security (S)
The security process, security concepts, the information security policy, and the organizational structure for information security SHOULD be regularly reviewed for effectiveness and appropriateness and updated. To this end, regular completeness and update reviews of the security concept SHOULD be carried out.
Likewise, regular security reviews SHOULD be conducted. For this purpose, rules SHOULD be in place governing which areas and security measures are to be reviewed when and by whom. Reviews of the security level SHOULD be conducted regularly (at least annually) as well as on an as-needed basis.
Reviews SHOULD be conducted by qualified and independent persons. The results of the reviews SHOULD be documented in a comprehensible manner. Building on this, deficiencies SHOULD be remedied and corrective measures SHOULD be taken.
ISMS.1.A12 Management Reports on Information Security (S) [Top Management]
Top Management SHOULD regularly be informed about the status of information security, in particular about the current threat landscape and the effectiveness and efficiency of the security process. Management reports SHOULD be written that contain the most important relevant information about the security process, in particular about problems, successes, and opportunities for improvement. Management reports SHOULD contain clearly prioritized proposals for measures. The proposals for measures SHOULD be accompanied by realistic estimates of the expected implementation effort. Management reports SHOULD be archived in an audit-proof manner.
Management decisions on required actions, the handling of residual risks, and changes to security-relevant processes SHOULD be documented. Management decisions SHOULD be archived in an audit-proof manner.
ISMS.1.A13 Documentation of the Security Process (S)
The course of the security process SHOULD be documented. Important decisions and the work results of individual phases—such as security concepts, guidelines, or investigation results of security incidents—SHOULD be documented sufficiently.
There SHOULD be a regulated procedure for creating and archiving documentation within the security process. Rules SHOULD exist to maintain the currency and confidentiality of the documentation. The current version of existing documents SHOULD be accessible at short notice. In addition, all previous versions SHOULD be centrally archived.
ISMS.1.A14 DISCONTINUED (S)
This requirement has been discontinued.
ISMS.1.A15 Economical Use of Resources for Information Security (S)
The security strategy SHOULD take economic aspects into account. When security measures are defined, the resources required for them SHOULD be quantified. The resources planned for information security SHOULD be made available in a timely manner. At times of peak workload or for special tasks, additional internal employees SHOULD be deployed or external expertise SHOULD be brought in.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there are high protection needs. The specific determination is made within the framework of an individual risk analysis.
ISMS.1.A16 Creation of Target-Group-Specific Security Policies (H)
In addition to the general security policies, there SHOULD also be target-group-oriented security policies that reflect the relevant security topics appropriately for each target group.
ISMS.1.A17 Taking Out Insurance (H)
It SHOULD be examined whether insurance can be taken out for residual risks. It SHOULD be regularly checked whether existing insurance policies correspond to the current situation.
Additional Information
Good to Know
BSI Standard 200-1 defines general requirements for an information security management system (ISMS). It is also compatible with ISO Standard 27001 and takes into account the recommendations of many other ISO standards.
BSI Standard 200-2 forms the basis of the proven BSI methodology for building a solid information security management system (ISMS). It establishes three new approaches to implementing IT-Grundschutz. Due to the similar structure of standards 200-1 and 200-2, users can easily navigate both documents.
ISO/IEC 27000 (Information security management systems - Overview and vocabulary) provides an overview of information security management systems (ISMS) and the relationships between the various standards in the ISO/IEC 2700x family. It also contains the basic terms and definitions for ISMS.
ISO/IEC 27001 (Information security management systems - Requirements) is an international standard for information security management that also enables certification.
ISO/IEC 27002 (Code of practice for information security controls) supports the selection and implementation of the measures described in ISO/IEC 27001 in order to build a functioning security management system and anchor it within the institution.