Implementation Guideline ISO/IEC 27001:2013

1 A publication of the ISACA Germany Chapter Security Expert GroupImplementation Guideline ISO/IEC 27001:2013 A practical Guideline for implementing an ISMS in accordance with the international standard ISO/IEC 27001:2013 Publisher:ISACA Germany Chapter Oberwallstr. 2410117 Berlin, Germany of Authors: Gerhard Funk (CISA, CISM), independent consultant Julia Hermann (CISSP, CISM), Giesecke & Devrient GmbH Angelika Holl (CISA, CISM), Unicredit Bank AG Nikolay Jeliazkov (CISA, CISM), Union Investment Oliver Kn rle (CISA, CISM) Boban Krsic (CISA, CISM, CISSP, CRISC), DENIC eG Nico M ller, BridgingIT GmbH Jan Oetting (CISA, CISSP), Consileon Business Consultancy GmbH Jan Rozek Andrea Rupprich (CISA, CISM), usd AG Dr.

2 Tim Sattler (CISA, CISM, CRISC, CGEIT, CISSP), Jungheinrich AG Michael Schmid (CISM), Hubert Burda Media Holger Schrader (CISM, CRISC)The content of this Guideline was developed by members of the ISACA Germany Chapter and was thoroughly researched. Due care has been exercised in the creation of this publication; however, this publication is not comprehensive. It reflects the views of the ISACA Germany Chapter. ISACA Germany Chapter accepts no liability for the latest version of the Guideline can be obtained free of charge at All rights, including the right to reproduce excerpts of the content, are held by the ISACA Germany Chapter This Guideline was translated from the German original version Implementierungsleitfaden ISO/IEC 27001:2013 published in June 2016.

3 Last updated: April 2017 (final upon review by the Information Security Expert Group of the ISACA Germany Chapter) Implementation GuidelineISO/IEC 27001:2013A practical Guideline for implementing an ISMS in accordance with the international standard ISO/IEC 27001:2013 3 Implementation Guideline ISO/IEC 27001:2013 ForewordAn information security management system (ISMS) is a comprehensive set of policies and processes that an organi-zation creates and maintains to manage risk to information assets. The ISMS helps to detect security control gaps and at best prevents security incidents or at least minimizes their impact.

4 The Implementation of an ISMS in accordance with the international standard ISO/IEC 27001 is, however, a very complex subject which includes many activities and resources and can take many months. Neverthless, for many organiza-tions, an introduction is not only obligatory on the basis of contractual or legal requirements, but also a critical success factor in times of digital transformation and ever-increasing security of information and related technology is the concern of ISACA members worldwide. The goal of our members is to work to reduce the number of security inci-dents and to enable organizations to be better prepared for attacks and to react more effectively.

5 To be successful in achieving this goal, the sharing of knowledge and experience is of primary importance. Therefore, on behalf of the Board of the ISACA Germany Chapter, we are pleased to present this work of our Information Security Expert Group to an international 2014, the Information Security Expert Group decided to frame and develop a Guideline for implementing an ISMS in accordance with ISO/IEC 27001:2013 . This was first written and published in German. We believe that this guide, which has attracted a good response in German-speaking countries, will also be of great interest to an international audience.

6 This is why we are especially grateful to the expert group for having supported a translation of their work with a lot of ef-fort in adjustment, review, verification and quality would be glad if this outstanding work of the expert group facilitates the work of information security professi-onals worldwide and if it promotes knowledge sharing and exchange of experiences among them. Matthias Goeken Tim Sattler 5 Implementation Guideline ISO/IEC 27001:2013 Why do we need this Guideline ?Information security is vital. However, as an aspect of corpo-rate management, its aim must be to provide optimum sup-port for business objectives.

7 A well-structured information security management system (ISMS) designed in accordance with international standards provides an ideal foundation for efficient, effective Implementation of a comprehensive secu-rity strategy, particularly in an era where cyber threats and cyber security are prevalent the focus is placed on threats originating from the Internet, protecting intellectual property, complying with re-gulations and contractual requirements, or securing produc-tion systems depends on the situation at hand ( , industry, business model, attitude toward risk / risk appetite, etc.)

8 And the respective organization s specific security objectives. Re-gardless of what the chosen approach is called, it is always important to identify and be aware of the information secu-rity threats that exist in the respective context and to select, implement, and consistently maintain the appropriate strate-gies, processes, and security concrete Implementation of an ISMS requires experi-ence; however, first and foremost, Implementation must be based on the decisions and obligations of the highest level of management in regards to this issue. The basic requirements for using an ISMS to support the business objectives include a clear mandate from management, a security strategy ad-apted to the business strategy, qualified personnel, and the necessary Implementation Guideline ISO/IEC 27001:2013 (in this document referred to as Implementation Guideline ) includes practical recommendations and tips for organizations that already operate an ISMS in accordance with the internatio-nal standard ISO/IEC 27001.

9 2013, Information technology Security techniques Information security management systems Requirements or that want to set up this type of system, regardless of the certifications they hold or are attempting to acquire. The guide provides practical support and strategies for anyone responsible for setting up and/or operating an ISMS. It clearly outlines the benefits of an in-dividually customized ISMS that also conforms to standards (if necessary). It also places particular emphasis on practi-cal recommendations for establishing ISMS processes and/or improving existing ones, and it includes typical examples of how to implement various Germany Chapter would like to thank the ISACA Information Security Expert Group and the authors who crea-ted this Guideline : Gerhard Funk, Julia Hermann, Angelika Holl, Nikolay Jeliazkov, Oliver Kn rle, Boban Krsic, Nico M ller, Jan tting, Jan Rozek, Andrea Rupprich, Dr.

10 Tim Sattler, Michael Schmid, and Holger management: Oliver Kn rleReviewers of the English version: Gerhard Funk, Julia Her-mann, Oliver Kn rle, Boban Krsic, Nico M ller, Dr. Tim Sattler. Special thanks to Elena Steinke who reviewed the document from both a professional and a native speaker information provided in this document was compiled by experts in the fields of information security, auditors, and in-formation security managers, to the best of their knowledge and experience. There is no guarantee that this information is comprehensive or free from 7 Implementation Guideline ISO/IEC 27001:20131.