The management level must be kept informed about the results of the checks at regular intervals and in an adequate manner by the information security management. The problems, successes and opportunities for improvements should be pointed out.
Every risk assessment must comprise the following steps: The information and business processes that are to be protected must be identified. All the relevant threats pertaining to the information and business processes that are to be protected must be identified Vulnerabilities which the threats can use to take effect must be identified
Selecting information security safeguards
Specific information security safeguards can be derived from the general information security objectives and information security requirements that the management level has specified. When selecting security measures, the cost-benefit aspects and the practical feasibility must also be considered.
Measures must be implemented that allow information processing errors (which can compromise confidentiality, availability or integrity), mistakes that are critical to security and information security incidents to be avoided as far as possible, to be limited in their impact or at least noticed early on. The following, for example, can be used to detect security problems at an early stage: tools for monitoring systems, integrity checks, keeping a log of access, actions or errors, controlling the access to buildings and rooms or fire sensors, water sensors and air-conditioning sensors.
An information security management system does not necessarily have to be introduced for an entire institution. The area of application within which the ISMS should apply must therefore be specified first. The area of application frequently includes the entire institution but it can also, for example, relate to one or more tasks, business processes or organisational units. In this case it is important that the considered tasks and business processes are completely contained within the selected area of application. Within the context of IT-Grundschutz, the term "information domain" is used for the area of application. It then also covers all the infrastructural, organisational, personnel and technical components that serve to fulfil the tasks in this area of application of information processing.