ISM Logs
Data is raw material, information is structured data in context, and knowledge is interconnected information held by a person.
* The D-I-K pyramid — raw Data at the base, Information (data in context) above, Knowledge at the top. *
Think of it as a pyramid with three layers:...
Q What are common management misconceptions about information security?
Managers often dismiss security as a cost center, assume firewalls are enough, or believe their company isn't a target.
Classic management excuses:
Misconception
Reality
"What does security bring us besides costs?"
It prevents far greater costs from breaches, fines, and re...
Q What is the difference between Zutritt, Zugang, and Zugriff (physical access, logical access, and da...
Zutritt is physical entry to a location, Zugang is logical access to a system, and Zugriff is permission to use specific data or functions.
* The three access layers — Zutritt (physical entry) → Zugang (logical login) → Zugriff (data permissions). *
These three German terms repr...
Q What are the BSI Standards and what is the IT-Grundschutz-Kompendium?
The BSI Standards describe the methodology for IT baseline protection and cover ISMS, methodology, and risk analysis. The IT-Grundschutz-Kompendium provides the actual building blocks, threats, and implementation guidance.
* The four BSI Standards — ISMS, methodology, risk analy...
Q How does the IKT Minimalstandard's self-assessment scoring work?
Each measure is scored on a maturity scale from 0 to 4, and the results are compared as "ist" (actual) vs. "soll" (target) — typically visualized as spider/radar charts per function.
The tier levels (mirroring the NIST Implementation Tiers, in German):
Score
Level
0
Not im...
Q In the Gartner "security capabilities" best-practice model, what are the five capability areas a sec...
Gartner groups security work into five capability domains: Governance/Risk/Program Management, Infrastructure & Data Protection, Identity & Access Management, a Security Operations Center, and Administration.
Using Gartner's best-practice approach to map "what do we do," the five...
Q From an auditee's (frontline) perspective, what are the key DO's and DON'Ts when being audited?
DO: prepare ahead, answer courteously and concisely with facts, support statements with evidence, and bring in specialists when you don't know. DON'T: volunteer information, jump to conclusions, dramatize, criticize, or guess.
DO
DO NOT
Plan ahead — anticipate obvious ques...
Q What are the major information security standards and frameworks?
The key standards are ISO 27000 series, BSI 200-x, BSI Grundschutz, NIST CSF, and the Swiss ICT Minimal Standard.
* The major standards & frameworks — ISO 27000 series, BSI 200-x/Grundschutz, NIST CSF, Swiss ICT Minimal Standard. *
Standard/Framework
Origin
Focus
ISO 2700...
Q What are the six core standards in the ISO 27000 family and what does each one cover?
The ISO 27000 family includes 27000 (vocabulary), 27001 (requirements), 27002 (controls), 27003 (implementation), 27004 (measurement), and 27005 (risk management).
* The six core ISO 27000 standards — only 27001 (requirements) is certifiable. *
There are over 50 standards in the...
Q What are the process and system building block layers in the BSI IT-Grundschutz-Kompendium?
Process building blocks cover organizational aspects (ISMS, ORP, CON, OPS, DER), while system building blocks cover technical components (IND, APP, SYS, NET, INF).
* The Schichtenmodell — process (organizational) blocks above, system (technical) blocks below. *
Process Building...