Election Glossary

We provide explanations and background information on elections, voting rights and digital democracy

IT Risk Management

IT risk management denotes a procedure developed by the BSI (Ministry of Security) for corporate information technology to identify and apply safety measures. 

The goal of IT risk management 
IT-risk managment is meant to achieve an average, appropriate and  sufficient level of protection for IT systems. 

The development of the IT risk management entails a detailed risk analysis. Taking a danger standard for IT systems, it is then split into three categories. Based on these, the respective safety measures and protection programs can be found in  IT-risk management catalogues

The IT risk management was first established in 1994, and then thoroughly revised in 2005. Since then, the BSI published IT security management in the  IIT-security management catalogues and BSI standrads. 

Together there are four BSI-Standards. These discuss the establishment of an information security management system (ISMS), IT risk management procedure and the conducting a risk analysis for IT systems with high as well as very high protection needs.  

  • BSI-Standard 100-1 describes different possibilities for information security systems management
  • BSI-Standard 100-2 describes the procedures of IT risk management 
  • BSI-Standard 100-3 describes the risk analysis on the grounds of IT risk management 
  • BSI-Standard 100-4  describes what is to be done in case of emergency 

The IT Risk Management Catalogues 
The IT Risk Management Catalogues contain a collection of documents which explain the running of and the setting up of an information security management system (ISMS).  They also define for example, the components, dangers as well as safety measures for an ISMS.  With the help of an IT risk management catalogue it is possible to identify and apply the approporate safety measures.

Procedures for setting up IT Risk Management
The setting up of IT risk management involves eight steps:

  1. Defining the information network 
  2. Running an IT structure analysis
  3. Establishing the protection needs
  4. Designing the IT risk management 
  5. Running a base security check 
  6. Running an overall security analysis (potentially with following risk analysis)
  7. Consolidating the security measures 
  8. Implementing IT risk management security measures 

The IT Risk Management Certificate 
The BSI gives out a Certificate SO/IEC 27001 for the successful implementation of IT risk management with an established ISMS.
These are given out for the risk management categories one and two on the basis of self-declarationn. For category three  a testing of IT risk management is needed by one of BSI's licensed, independent auditors.

See also: IT Security, Backups, Data Security, BSI

< Go back