Practical guide for the implementation of an information security management system (ISMS) according to ISO/IEC 27001:2022
Why this guide?
Information security is indispensable. As a component of corporate management, it must be geared to providing optimum support for business objectives. Even or especially in times of so-called “cyber threats” and the emerging challenges of “cyber security” in many places, a wellstructured information security management system (ISMS) in accordance with internationally recognized standards provides the optimal basis for the efficient and effective implementation of a holistic information security strategy.
Whether the chosen focus is on threats originating from the Internet, the protection of intellectual property, the fulfillment of regulations and contractual obligations, or the safeguarding of production systems depends on the framework conditions (e.g., industry, business model, or risk appetite) and the specific security objectives of the respective organization. In all cases, it is crucial to be aware of the existing information security risks in the respective context or to uncover them and to select, implement and ultimately also consistently track the necessary strategies, processes and security measures.
The concrete implementation of an ISMS requires experience, but is based first and foremost on the decision and commitment of top management to the subject. A clear management mandate and a security strategy adapted to the business strategy, together with competent personnel and the resources that are ultimately always required, are the basic prerequisites for optimally supporting the achievement of business objectives with an ISMS.
The updated Implementation Guide ISO/IEC 27001: 2022 (in short: Implementation Guide) contains practical recommendations and advice for organizations that either already operate an ISMS in accordance with the international ISO/IEC standard 27001, “Information security, cybersecurity and privacy protection – Information security management sys- tems – Requirements”, or wish to establish one, irrespective of existing or possible certification. The guide offers pragma- tic assistance and approaches to all those entrusted with the establishment and/or operation of an ISMS. The advantages
of an individually adapted and, if necessary, simultaneously standard-compliant ISMS are clearly highlighted. In particular, practical recommendations for establishing or increasing the maturity level of existing ISMS processes and typical implementation examples of various requirements are presented.
ISACA Germany Chapter e.V. would like to thank the ISACA Information Security Group and the authors for preparing the guide: Erik Gremeyer, Andreas Kirchner, Ralf Knecht, YingYeung John Man, Dirk Meissner, Nico Müller, Jan Rozek, Dr. Markus Ruppel, Andrea Rupprich, Dr. Tim Sattler, Michael Schmid.