Quiz Entry - updated: 2026.06.04
Which external and company-specific documents form the input for an ISMS?
External: laws, regulatory requirements, standards, and frameworks. Company-specific: mission statement, corporate strategy, and IT governance.
Externe Dokumente:
- Gesetzliche Grundlagen — laws and ordinances (e.g. data protection law)
- Regulatorische Vorgaben — industry-dependent rules (banking supervision, health care, …)
- Standards — ISO 2700x, BSI 200-x, COBIT, ITIL, …
- Frameworks — e.g. the NIST Cybersecurity Framework
Firmenspezifische Dokumente:
- Mission Statement of the company
- Strategie of the company
- Governance der IT
Why this matters: a security policy is never written on a blank page — it must derive from these inputs. Auditors check the chain: does the policy reference the laws that apply? Does it align with corporate strategy? A policy contradicting the company's mission statement loses every escalation.