Today, the increasing digitalisation and networking of the work environment presents companies and government agencies with fundamental challenges. Likewise, the basic threat situation for information security in companies and government agencies is very dynamic and diverse. In order to be able to operate business processes or specialised tasks with the help of IT, whether offline or online, in a secure manner and to thus also be competitive in the long run, organisations must increasingly address the questions in the field of information security in an improved manner. The developments in the field of information technology today are characterised by shorter and shorter innovation cycles. Likewise, the technical systems are characterised by an increased complexity. The dependency on working technology is increasing in more and more areas of public and business life. The networking and control of industrial facilities, Smart Home, Internet of Things, and Connected Cars will present security experts and users with additional challenges in the years to come. Meanwhile, the management of organisations must increasingly address the question of the possible effects of a cyber attack, for example. In addition to one’s own organisations, customers, suppliers, and business partners, as well as additional groups may be affected. Therefore, the approach by all those involved must be planned and organised in order to be able to establish and maintain and continuously improve an ap-propriate and sufficient level of security.
In practice, it often proves difficult to establish and maintain an appropriate and sufficient level of security in the long run. In combination with the increasing complexity of the IT systems, a lack of resources and austerity budgets continuously present the persons in charge with new challenges. Due to the shorter and shorter development cycles, even tried and tested security mechanisms require con-tant adaptation or even re-design. In the long run, a static solution is not capable of providing an appropriate level of security. However, the common belief that security safeguards would inevitably be associated with high investments in security technology and highly specialised security experts is not true. The most important success factors include common sense, thought-through organisational regulations, and reliable, well-informed employees implementing the security requirements in a self-dependent and experienced manner. Hence, the development and implementation of an efficient security concept does not necessarily have to be unaffordable and the most efficient safeguards may prove surprisingly simple.
Thus, security must be an integral part of planning, design, and operation of business processes and information processing. As a consequence, comprehensive organisational and personnel measures must be taken. Information security management based on IT-Grundschutz includes infrastructural, organisational, and personnel aspects, in addition to technical aspects. Only a holistic approach regarding the increase of information security may affect all levels in a sustainable manner.
An appropriate level of security primarily depends on the systematic approach and only secondarily on the individual technical measures. The following considerations illustrate this hypothesis and the importance of the management level regarding the security process:
the management level is responsible for ensuring that statutory regulations and contracts with
third parties are complied with and that important business processes are not disrupted.
- The management level is the instance making the decisions on how to handle risks.
- Information security has interfaces with many areas of an organisation and affects highly important business processes and tasks. Therefore, only the management level can ensure that information security management is integrated smoothly in existing organisational structures and processes.
- Furthermore, the management level is responsible for the efficient deployment of resources.
Thus, the management level has a high degree of responsibility in the field of information security. A
lack of supervision, an unsuitable security strategy, or wrong decisions may have far-reaching nega-
tive effects as a result of both security incidents and missed opportunities and bad investments. In-
volving the management level intensively is absolutely necessary: information security is a top man-
This standard therefore describes, in a step-by-step fashion, how successful information security man-agement may be established and which tasks the management level in government agencies and com-panies will have in this context.