What is the German document pyramid ("Security Framework"), and what belongs to each layer?
Politik → Konzept → Regelwerk → Aufzeichnungen — from normative direction at the top to operational records at the bottom.
* The German security framework — Politik → Konzept → Regelwerk → Aufzeichnungen, normativ at top to operativ at base. *
| Layer | Content |
|---|---|
| Politik (policy) | Ziel, Zweck und Grundsätze der Informationssicherheit; the ISMS mandate |
| Konzept (concepts) | Anforderungen, Organisation und Vorgehen zur Umsetzung des ISMS |
| Regelwerk (rules) | Concrete rules: Zutritt/Zugriff (physical/logical access), Wartung, Verschlüsselung, Pflege, Betrieb |
| Aufzeichnungen (records) | Besucherlisten, System-Logs, Auditberichte, Logbücher, Protokolle |
The pyramid is the "sichere Fundament" of the security organization: with this framework, the foundation for uniform security management throughout the company is laid — one consistent cascade rather than scattered documents.
Tip: The vertical axis runs from normativ (top) to operativ (bottom) — exactly mirroring the three management levels (normative/strategic/operational) plus an evidence layer. Width = volume: one Politik, but thousands of Aufzeichnungen.