Quiz Entry - updated: 2026.07.05
What are the high-level phases of an ISMS implementation?
1) Identify dependencies & analyse risks → 2) Align with management → 3) Define the security guideline (Leitlinie) → 4) Implement the security process (concepts, organisation, awareness, controls, emergency, audit) → 5) Audit and improve.
* The five ISMS-implementation phases as a serpentine — step 5 (audit) loops back to step 1 (PDCA in disguise). *
The canonical ISMS roadmap:
- Erkennen der Abhängigkeiten, Risikoanalyse — what does the business depend on, what could go wrong?
- Abstimmen mit Management — leadership commits to scope, budget, risk appetite (without this, step 3 is theatre).
- Informations-Sicherheitsleitlinie — the top-level policy that codifies management's intent.
- IS-Prozess — the operational machinery: IS-Konzepte, Organisation, Notstand (emergency), Grundschutz, Umsetzung, Awareness, Weisungen.
- Audit — measure the gap between design and reality, feed it into the next iteration.
This is a PDCA cycle in disguise: step 5 loops back to step 1 (continuous improvement).
Tip: Many failed ISMS projects skip step 2 and jump straight to writing policies. Without management sponsorship, the project lacks budget, authority, and the political cover to enforce unpopular controls.
Go deeper:
Information security management — the ISMS lifecycle (risk analysis, policy, controls, review) behind these five phases.