IT Security Management

Introducing an information security management system (ISMS)

IT Security Management Based on Established Standards

Reduce risks, contain threats – make your IT organization secure

By using information technology, you expose the information required in a company to potential sources of danger. As part of IT security management including risk prevention, business processes therefore have to be designed and operated in such a manner that security is ensured across the board.

Based on our tried and tested smartfield analysis, we use a questionnaire to conduct targeted surveys of your employees and/or external service providers, and we also inspect the available documentation. This methodology makes it clear which gaps exist with respect to standards such as ISO/IEC 27001, the BSI IT baseline protection (BSI), and/or the minimum requirements for risk management (MaRisk BA) from the German Central Bank and the Federal Financial Supervisory Authority (BaFin). Following this, we then point out the risks that have been identified and assessed, and make suggestions as to how you can reduce these risks and close the gaps in relation to the standards.

Introducing an ISMS in 8 Steps

We advise and support you in the introduction of your information security management system

Are you planning on introducing an information security management system (ISMS)? We guide you through all the steps, right up until the certification phase has been successfully completed. The required effort involved can be determined after an initial Smartfield Analysis; this follows, among other things, the structure of your IT organization, its level of maturity, and your employees' level of involvement.

structure and protection requirements analysis of your IT environment, advice when determining scope, and statement of applicability

support when creating required directives, guidelines, and concepts, and when defining processes

implementing organizational measures

analyzing, assessing, and managing opportunities and risks, depending on scope, using a tool

emergency planning with respect to critical business processes and resources

training and raising awareness among employees, initial internal ISMS audit

consultation in the planning, implementation, and tracking of measures, including checking their effectiveness

support with the external audit until the certificate has been received

Your Experts in IT Security Management

Benefit from our years of experience

Our experience in the field of IT security starts with our own software development and stretches to system operation in our Germany-based data centers, including high availability through mirrored operation as an option. This offering uses a number of customers from different industries including banks, insurance companies, and global players in the travel sector.

PASS has been certified according to ISO/IEC 27001 since 2012; the ISMS developed in-house also conforms to standard 100-1 of the German Federal Office for Information Security (FOIS/BSI). Our method for analyzing, assessing, and managing opportunities and risks corresponds with standards ISO/IEC 27005, BSI 100-3, and the minimum requirements for risk management according to MaRisk (BA) and MaRisk (VA).

External Information Security Officer (ISO)

Independence and IT expertise – all combined in one person

The information security officer (ISO) plays a key role in your company's IT security management; their independence must therefore be guaranteed. On the one hand, they should have sound IT knowledge; on the other hand, they must not be employed by the IT organization. PASS can supply an experienced employee as an external information security officer upon request to provide you with temporary support in the following tasks and to the desired extent:


  • consultation in all security-relevant issues and projects
  • updating directives, guidelines, security-relevant concepts and process descriptions, e.g. as a result of external requirements that have changed, audit results, or security incident evaluations
  • implementing new or changed organizational measures
  • regular inspection of scope and update of risk analysis
  • planning, implementation, and tracking risk management measures, including checking their effectiveness
  • analyzing information security incidents; planning, implementing, and tracking the resulting control measures
  • planning and implementing awareness-raising and training measures
  • conducting regular internal audits to check the effectiveness of the information management system
  • reporting to management level, organizing management reviews
  • support with external audits

Frequently Asked Questions

Standards such as ISO/IEC 27001 take into account potential threats to IT security goals such as confidentiality, availability, and integrity caused by, for example, information technology, physical, organizational, and personnel weak points. The associated catalogs of measures and hazards are the result of extensive organizational experience, which has been honed to produce the standard.

The potential for risk posed to IT security goals is never static; instead, it is constantly evolving. While known risks can be reduced by taking appropriate measures, technological advancements are often accompanied by new vulnerabilities and threats. That is why the security of an information network must be reclassified on a regular basis - by conducting new analyses and assessments of all risks. 

The purpose of an ISMS is to avert all threats posed to an information network. Benefits arise from the sum of all the risks assessed; this means from their probability of occurrence multiplied by the degree of potential damage.