ISIS12

from Wikipedia, the free encyclopedia

The information security management system in 12 steps ( ISIS12 ) is a model for the introduction of an information security management system (ISMS). It was specially developed for use in municipalities and SMEs. ISIS12 contains specific measures for the systematic and continuous increase in information security.

ISIS12 is an independently certifiable entry level into an ISMS. The compatibility with ISO / IEC 27001 and IT-Grundschutz enables a later switch to a more extensive certified ISMS, e.g. B. ISO / IEC 27001 based on IT-Grundschutz.

Basic idea

The legislature has also recognized the need for information security and has passed corresponding laws (IT Security Act, Bavarian E-Government Act Art. 11). In addition, as also arise from other legal requirements implementation guidance for information security (eg. DSGVO , Limited Companies Act § 43 para. 1, Basel II, S-Ox, Telemedia Act, Aktiengesetz Section 91 para. 2 and § 93 para. 2 Commercial Code Section 317 (4) and much more), mostly the topic of risk or data loss is used as the basis.

Experience has shown that difficulties in the practical introduction and implementation of an ISMS include personnel bottlenecks, a lack of specialist knowledge and the overloading of the mostly small IT departments.

The basic idea behind the development of ISIS12 was therefore to close the gap between what is necessary and what is organizationally affordable. As a result of these considerations, a model was created in twelve concrete steps, derived from IT-Grundschutz and the ISO / IEC 27001 standard.

During the development by the Network for Information Security in Medium-Sized Enterprises (NIM) (list of network partners), particular attention was paid to ensuring that not every threat scenario is covered, but that companies are provided with clear and concise instructions with an integrated implementation concept in understandable language . The aim is to offer those responsible a guided guide for helping people to help themselves.

introduction

The introduction of an ISMS according to ISIS12 is carried out in twelve steps:

  1. Create a guideline
  2. Sensitize employees
  3. Build information security team
  4. Define IT documentation structure
  5. Introduce IT service management process
  6. Identify critical applications
  7. Analyze IT structure
  8. Model security measures
  9. Compare actual-target
  10. Plan implementation
  11. Implement
  12. Revision

The steps are iteratively run through time-dependent, so that a PDCA cycle is set.

Manual, catalog and software

In the “Handbook for the efficient design of information security for small and medium-sized organizations”, the ISIS12 process model is described in a didactic manner. It is a comprehensive guide that can be accompanied by certified ISIS12 consultants during implementation.

The ISIS12 catalog was derived from the BSI IT baseline protection catalogs (15th EL 2016 [BSI: 2013a]) and the de jure standard ISO / IEC 27001 [ISO: 2013a] (objectives A.5 - A.18) and the details in ISO / IEC 27002 [ISO: 2008b] is derived from and supplements the didactic description of the manual with specific measures derived from higher standards.

The introduction process and the revision cycles can be supported by accompanying software. On behalf of the Bavarian IT Security Cluster eV, Harald Hornung developed a tool that depicts the twelve procedural steps in the ISIS12 process using software.

The software aims to support project participants in the implementation and use of ISIS12.

Integration of IT service management processes

Experience shows that companies that have not yet introduced an ISMS usually do not have any defined IT service management (ITSM) processes. A basic ITSM was therefore integrated in ISIS12, which was consolidated into the essential processes of maintenance, change and troubleshooting.

Integration of data protection

Information security management and data protection management have many comparable requirements, documents and procedures. Therefore it makes sense to connect both worlds, this is possible with ISIS12.

For this purpose, the following procedure was chosen to connect the DSMS with the ISMS ISIS12 and to use the corresponding synergies:

  • In step 1, the information security guideline is expanded to include data protection and thus its importance is manifested.
  • In step 2, the data protection component is specifically integrated into employee awareness.
  • The ISIS12 structure and process organization will be expanded to include the GDPR-relevant points (step 3, step 4, step 5). GDPR-relevant processes are included
  • Step 6 in particular plays a central role in the area of ​​"traceability". In step 6, processing operations have already been identified, recorded and evaluated with a protection requirement determination in terms of availability, integrity and confidentiality. Applications in which personal data are processed are summarized in a processing overview (Art. 30 GDPR). The RA to be carried out and the DFA that may be required are carried out in step using the processing directory and documented accordingly.
  • Special requirements of the GDPR are either included in the new ISIS12 module "B 1.5 GDPR data protection" in the form of binding security measures and / or in specific modules such as "B 4.10 software and hardware development" ( Privacy by Design / Privacy by Default ).

In step 12, an annual data protection audit is implemented, which checks the 12 steps of the extended process model. ASBn checklists will also be part of this in the future. In the case of a desired certification, the certification scheme extended by the DSMS can be used. The scope of the audit will be expanded accordingly and offers companies the opportunity to fulfill the required proof or accountability according to the GDPR.

Certification

Companies that have introduced an ISMS according to ISIS12 can have this independently certified by DQS as part of an audit.

ISIS12 can be used at any time as a basis for further certification according to ISO / IEC 27001 or IT-Grundschutz.

advancement

The original development was funded by the Bavarian State Ministry for Economic Affairs, Infrastructure, Transport and Technology via BICCnet.

In addition, ISIS12 is eligible for various initiatives:

  • Promotion of information security in Bavarian municipalities
  • Digital bonus, Bavaria
  • Promotion of information security in Saarland municipalities

recognition

ISIS12 for municipal security

The IT planning council officially recommended ISIS12 for use in municipal security. This means that, in addition to the BSI IT-Grundschutz and ISO 27001, ISIS12 is particularly suitable for implementation in small and medium-sized municipal administrations. The network "Information Security for Medium-Sized Enterprises (NIM)" of the Bavarian IT Security Cluster eV has developed a practicable procedure with ISIS12, which shows in twelve manageable steps the entry into the development and design of information security guidelines.

Expertise from Fraunhofer AISEC

An expert opinion commissioned by the Free State of Bavaria from Fraunhofer AISEC also confirms that ISIS12 is based on the BSI IT basic protection methodology and meets the minimum requirements of the IT planning council for an ISMS. The necessary security measures can be implemented comparatively easily with ISIS12 in small and medium-sized municipalities with up to 500 employees as an entry into an ISMS. In particular, ISIS12 is also suitable as a basis for the later introduction of an ISMS based on ISO 27001 or the BSI IT-Grundschutz.

The report also clearly shows the limits of ISIS12:

“For a defined“ standard authority ”with approx. 500 employees, the most homogeneous basic IT infrastructure possible, no branch offices connected unprotected via public networks, predominantly normal protection requirements, no high availability requirements for IT systems and no critical applications (in the sense of no critical infrastructures) conclude that ISIS12 is an appropriate course of action. "

- Fraunhofer AISEC : Expert opinion on the applicability of ISIS12 in public administration

For providers of critical infrastructures according to the IT security law is ISIS12 acc. not suitable for this report. However, ISIS12 can serve as a starting point for certification according to ISO / IEC 27001.

Central municipal associations

The German Association of Cities and Towns also came to the conclusion in its “Guide to the Design of Information Security Guidelines in Local Authorities” that ISIS12 represents a basis for expanding a guideline-compliant ISMS in local authorities.

Web links

swell

  1. a b What is ISIS12? - ISIS12. Retrieved on July 17, 2018 (German).
  2. Andreas Reichelt: Improved data security. In: Tele Regional Passau 1 (TRP1). Accessed March 2, 2019 (German).
  3. a b Infographic on the 12 steps of ISIS12
  4. a b ISIS12 Network: Handbook on efficient design of information security for small and medium- sized organizations (KMO) . ISIS12 manual. Ed .: Bayerischer IT-Sicherheitcluster eV Version 1.9, June 2018.
  5. a b ISIS12 network: ISIS12 catalog . Ed .: Bayerischer IT-Sicherheitcluster eV Version 1.5, June 2018.
  6. Software - ISIS12. Retrieved July 17, 2018 .
  7. Reference to certification by DQS
  8. Protection of the public networks. Retrieved July 17, 2018 .
  9. Digital Bonus - Digital Bonus Bavaria. Retrieved July 17, 2018 .
  10. Press release Saarland today | Saarland.de. Retrieved July 17, 2018 .
  11. IT planning council decision 2013/01 - control project "Guideline information security" ( Memento from February 9, 2015 in the Internet Archive )
  12. a b Expert opinion on the applicability of ISIS12 in public administration (Fraunhofer) (PDF; 602 kB)
  13. Handout on the design of the information security guideline in local government In: staedtetag.de , November 2014, accessed on August 2, 2018 (PDF; 973 kB)