ISMS (Information Security Management System)

Systematic framework for information security — ISO 27001 or BSI IT-Grundschutz

· Category: NIS2 · Compliance-Kit
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

An Information Security Management System (ISMS) is a systematic framework of policies, processes and measures for protecting information. The most established standards are ISO/IEC 27001 (internationally certifiable) and BSI IT-Grundschutz (German standard). It is a mandatory component for NIS2 compliance under Section 30(2) No. 1 BSIG.

What is an ISMS (Information Security Management System)?

Core ISMS components:

Practical example

Typical ISO 27001 implementation for a 200-employee company: - Q1: ISMS policy + risk analysis methodology - Q2: risk register + definition of measures - Q3: implementation of the 93 ISO 27001 controls (where applicable) - Q4: internal audit + preparation for external audit - Following year: external audit + certification Effort: 0.5-1 FTE for implementation + 0.3-0.5 FTE for ongoing operation.

Frequently asked questions

ISO 27001 or BSI IT-Grundschutz?
ISO 27001: internationally recognised, SME-scalable, market expectation. BSI IT-Grundschutz: more detailed, KRITIS-compliant, more cost-effective without certification. A hybrid model is possible.
Is ISO 27001 sufficient for NIS2?
Largely. ISO 27001 covers 70-80% of the Section 30 BSIG requirements. Gaps: NIS2 notification obligations 24/72/30 (Section 32), supply chain due diligence (Section 30(2) No. 5), Section 38 managing director obligations.
What does ISO 27001 certification cost?
Initial implementation: EUR 30,000-150,000 (SME). External audit: EUR 8,000-25,000 every 3 years. Ongoing maintenance: 0.3-0.5 FTE. The Compliance Kit NIS2 Kit reduces implementation costs by 50-70%.

See also