LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the high-level phases of an ISMS implementation?

1) Identify dependencies & analyse risks → 2) Align with management → 3) Define the security guideline (Leitlinie) → 4) Implement the security process (concepts, organisation, awareness, controls, emergency, audit) → 5) Audit and improve.

Five-step serpentine from dependencies/risk analysis through management, policy, IS-process to audit, looping back to step one

* The five ISMS-implementation phases as a serpentine — step 5 (audit) loops back to step 1 (PDCA in disguise). *

The canonical ISMS roadmap:

  1. Erkennen der Abhängigkeiten, Risikoanalyse — what does the business depend on, what could go wrong?
  2. Abstimmen mit Management — leadership commits to scope, budget, risk appetite (without this, step 3 is theatre).
  3. Informations-Sicherheitsleitlinie — the top-level policy that codifies management's intent.
  4. IS-Prozess — the operational machinery: IS-Konzepte, Organisation, Notstand (emergency), Grundschutz, Umsetzung, Awareness, Weisungen.
  5. Audit — measure the gap between design and reality, feed it into the next iteration.

This is a PDCA cycle in disguise: step 5 loops back to step 1 (continuous improvement).

Tip: Many failed ISMS projects skip step 2 and jump straight to writing policies. Without management sponsorship, the project lacks budget, authority, and the political cover to enforce unpopular controls.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026