Quiz Entry - updated: 2026.07.14
What is ISIS12, and where does it fit in the ISMS landscape?
ISIS12 is a lightweight 12-step ISMS for small and mid-size organisations, developed by the Bayerischer IT-Sicherheitscluster — easier than ISO 27001 but not internationally recognised.
ISIS12 ("Informations-Sicherheitsmanagement in 12 Schritten") gives a fixed cookbook:
- Leitlinie erstellen — basic security policy stating goals and target security level.
- Mitarbeiter sensibilisieren — awareness training; involve all staff in the IS process.
- IS-Team aufbauen — set up the org: ISB (security officer), DSB (data-protection officer), IT staff, user reps.
- IT-Dokumentation aufbauen — framework/operations/emergency docs, a "central base template".
- IT-Service-Management einführen (ITIL-style) — define the base processes: maintenance, change, incident.
- Kritische Anwendungen identifizieren — business-impact analysis (CIA, max. tolerable downtime / MTA, SLA).
- IT-Struktur analysieren — map applications to systems and infrastructure; inherit protection needs.
- Sicherheits-Massnahmen modellieren — pick the matching Bausteine from the ISIS12 catalogue.
- Ist-Soll-Vergleich — gap analysis against the catalogue (possibly a first maturity rating).
- Umsetzung planen — cost estimate, prioritise and consolidate the measures.
- Umsetzen — actually deploy controls (define responsibilities, deadlines, resources).
- Revision — review plan, continuous improvement through further cycles, optional certification.
Pros / Cons (recurring across all ISMS frameworks):
| Pro | Contra |
|---|---|
| Simple, very concrete | License fee |
| Tailored to KMU | Not internationally recognised |
| Doesn't scale to large orgs |
Tip: If your customer is a 30-person German SME with no compliance pressure, ISIS12 may be the right tool. If they sell into US enterprise, they'll be asked for ISO 27001 instead.
Go deeper:
ISIS12 / CISIS12 — the 12-step ISMS for SMEs and municipalities from the Bavarian IT-Sicherheitscluster, and its successor CISIS12.