LOGBOOK

HELP

Quiz Entry - updated: 2026.06.04

Which external and company-specific documents form the input for an ISMS?

External: laws, regulatory requirements, standards, and frameworks. Company-specific: mission statement, corporate strategy, and IT governance.

Externe Dokumente:

  1. Gesetzliche Grundlagen — laws and ordinances (e.g. data protection law)
  2. Regulatorische Vorgaben — industry-dependent rules (banking supervision, health care, …)
  3. Standards — ISO 2700x, BSI 200-x, COBIT, ITIL, …
  4. Frameworks — e.g. the NIST Cybersecurity Framework

Firmenspezifische Dokumente:

  1. Mission Statement of the company
  2. Strategie of the company
  3. Governance der IT

Why this matters: a security policy is never written on a blank page — it must derive from these inputs. Auditors check the chain: does the policy reference the laws that apply? Does it align with corporate strategy? A policy contradicting the company's mission statement loses every escalation.

From Quiz: ISM / Policies, Concepts & Guidelines | Updated: Jun 04, 2026