BSI-Standard 200-1: Information Security Management Systems (ISMS)
The BSI-Standard 200-11 of the BSI IT-Grundschutz provides guidance on how to establish an Information Security Management System (ISMS).
It is aimed both at senior management of organizations and those responsible for IT (security) systems.
The standard outlines the general requirements for an ISMS and defines its essential components as:
- management principles
- resources
- personnel
- the security process, including its conceptualization and organisation
Plan-Do-Check-Act Cycle
As a management-focused framework, the standard emphasizes the crucial role of leadership in initiating and supporting the ISMS, as well as its continuous improvement through the involvement of all stakeholders. Accordingly, it recommends the PDCA2 lifecycle model for security processes (see Figure 1) of ISO/IEC 27001, offering structured guidance for implementing, monitoring and refinement of the ISMS in an iterative manner.
The standard explicitly positions itself as a generic framework for establishing an ISMS. Its concrete implementation is typically guided by risk assessments and further complemented by specifications available with the additional standards of the IT-Grundschutz, namely BSI-Standard 200-2, 200-3 and 200-4.
Certification of the ISMS
As ISO/IEC 27001 is the internationally recognized standard for information security management systems, the BSI issues certifications based on the successful implementation of its methodology, referred to as "ISO 27001 certification based on IT-Grundschutz"3.