1. Introduction
In an increasingly digitalized business world, IT security is becoming increasingly important. Stable information security is essential for both public authorities and B2B customers. Without technical precautions, risks and challenges in the area of IT security cannot be managed effectively. An IT security management system (ISMS) supports companies in assuming responsibility in the area of information security and assessing risks in a well-founded manner. This article describes the process of introducing an ISMS in accordance with the CISIS12 standard in our company and highlights the key benefits of this system.
2. Basics and advantages of the ISMS according to CISIS12®
An IT Security Management System (ISMS) defines guidelines and processes to protect the confidentiality, integrity and availability of information. By continuously monitoring, reassessing and adapting security measures, the ISMS helps companies to continuously improve their protection. Relevant standards such as ISO/IEC 27001 or BSI Grundschutz offer comparable approaches, but CISIS12 was developed specifically for small and medium-sized companies and public authorities, enabling the introduction of a holistic, professional ISMS even with limited IT resources.
For our company, CISIS12 provides the following benefits:
- Safeguarding those responsible and employees,
- Integration of all employees in the information security process,
- Sustainable operation and further development of the ISMS and infrastructure,
- Creation of a high level of trust for customers, partners, and suppliers.
3. Initial situation and needs assessment in the Company
Before the introduction of the ISMS, the documentation of our IT security measures was inadequate and mainly limited to technical areas. A lack of transparency made it difficult to comprehensively assess security risks and vulnerabilities. External requirements, such as legal requirements (e.g. NIS-2, GDPR) and customer requirements, especially for public tenders, also made a structured ISMS necessary.
The aim of the ISMS is to fully assess and safeguard all security-relevant areas in the company (scope, see the diagram below). We recognized the need for adjustments and immediate action at an early stage as part of our GDPR measures.
The selection of state funding for the implementation of an ISMS was also taken into account and examined in the project.
Graphic: Organizational chart of IT team and CISIS12 scope, Source: Confluence, 31.10.2024
4. Project planning and approach for CISIS12® Implementation
The project team consisted of IT Administrators, the Data Protection Manager, Executive Management, the Project Manager, and the Information Security Officer (ISO). The technical implementation was mainly the responsibility of the administrators, while the ISO managed the organizational setup and documentation.
The DigitalBonus from the state of Bavaria was selected and applied for to fund the purchase of IT tools, the training of the IS team and the commissioning of external services.
The implementation began in March 2023 with a kick-off event for all employees and the aim of achieving certification by the end of the year. The project plan followed the 12 steps of the CISIS12 standard, complemented by a certification phase (external audit). During the initial assessment, we analyzed existing hardware, software and business processes and continued to document these as the project progressed.
Limited resources and a lack of technical expertise for special requirements were identified as particular risks, which we countered preventively by creating time buffers in project planning (especially for vacations and certification) and hiring a consulting firm. We also established open, direct and transparent communication and task allocation (including external consultants) and ensured regular monitoring of project progress and target achievement by regular meetings, checks and controls.
5. CISIS12® Implementation
The ISMS is implemented in twelve structured steps, with each phase building on the previous one. With the help of the To-be/As-is comparison (step 9), it is possible to record numerous action points across the entire range of the CISIS12 catalog. We were also guided by a target coverage of the security standard of at least 80% (i.e. 4 out of 5 points) for each relevant measure. The first measures to increase IT security were already implemented in parallel with the introduction of CISIS12, while others were and will continue to be incorporated into an action plan (our Backlog) for targeted improvements in the future. This is supported by IT security training and awareness-raising measures that have been established for all employees from the outset, such as a regular newsletter, targeted information events, etc.
We ensure compliance with and further development of the defined security guidelines through regular audits and internal reviews. An external re-audit and continuous internal checks promote the sustainable establishment of the ISMS and the continuous improvement process (CIP) within the company. With CISIS12, we as a company lay the foundation for a strong IT security culture and a reliable security infrastructure that protects us, our customers, and partners.
6. Challenges in Implementing of CISIS12®
Implementing an ISMS presented both technical and organizational challenges:
- Technical Challenges: Not all existing systems fully met the requirements. Knowledge needed to be built up in some areas, and certain systems required reconfiguration or even a complete migration. Complex issues often arose, especially during the To-be/As-is comparison step.
- Tool Selection: Choosing the right CISIS12 tool proved to be challenging, as the existing software options proved to be either too expensive or insufficiently integrable. After a test phase with a cloud provider, we opted for a full implementation without a separate tool within our Confluence system.
- Organizational Hurdles: An internal project like implementing an ISMS puts additional strain on resources. Defining new processes, such as supplier management, required considerable coordination and the development of additional expertise.
- Resistance and Acceptance: Early and continuous communication was crucial to foster acceptance. With most of our workforce being technical staff, communication was facilitated; however, acceptance and awareness of ISMS must be consistently promoted.
- Cost and Resource Planning: We recommend deploying a dedicated project team and relying on consulting expertise when implementing an ISMS. External consulting services, which can provide both technical and organizational support with experience, sometimes offer extremely valuable help, but are also expensive.
7. Success Factors for a Functional ISMS
The introduction of our ISMS was supported by the ‘best practices’ of our consulting service provider, which we tailored to our needs with a high commitment to continuous improvement, a practice we will maintain and enhance. Regular employee training and security awareness form the basis for strengthening security awareness in the company and successfully integrating the ISMS into daily operations.
8. Results and Benefits of CISIS12®
The successful implementation of CISIS12 increases our resilience to cyber threats and ensures compliance requirements are met. The integration and linking with existing requirements and processes such as GDPR and GRC management at company level provides particular added value.
In addition to a competitive advantage, the system also strengthens customer confidence and creates sustainable IT and security awareness within the company.
9. Conclusion and Outlook
The implementation of the ISMS was a necessary and worthwhile step, providing valuable insights into the transparency and structure of our IT infrastructure and fostering a shared security awareness. Going forward, we will continuously address new trends and threats to further develop our ISMS. A shift to higher standards, such as ISO 27001, or the introduction of ISO 9001 is a potential direction.
10. Call-to-Action
We welcome your feedback and suggestions on our IS policy and this article. Please feel free to contact us with questions or to discuss IT security concepts. We would also be happy to recommend additional consulting services, specifically for the introduction of an ISMS in the public sector.