Information Security Management: ISIS12 – Information security for small and medium-sized businesses

Who develops ISIS12?

Associated ISIS12 Partner

What is ISIS12?

  • A procedure model to describe an Information Security Management System
  • Can be used as a prestage for ISO 27001 or "BSI IT-Grundschutz"-accreditation
  • Implementation through qualified ISIS12-Providers

For whom is ISIS12?

Why ISIS12?

  • Reduced catalogue of measures in comparison to the BSI basic security
  • Certification through specialised DQS-trained auditors
  • Implementation based on the ISIS12-manual and the ISIS12-catalogue
  • Support through specifically developed ISIS12 software


Small and medium-sized businesses still attach too little importance to IT security. Technical solutions such as virus scanners, firewalls and spam filters may have become standard in SMBs, but an integrated information security management system is still a rarity in smaller businesses.

A network of 10 businesses and 2 universities has created ISIS12, an information security management system for smaller businesses, which is easily installed and can be introduced in just 12 steps. It was recognised that the Federal Office for Information Security’s (BSI) "BSI IT-Grundschutz" recommendations and the de jure ISO/IEC 27001 or 27002 standards would be used for this purpose. For ISIS12, a catalogue of measures was developed which contained only those measures relevant to smaller and medium sized businesses. This made it possible to strike a balance between the catalogues of measures listed in the two standards, thus making it easier for businesses to convert to an information security management system.

As a rule it is very difficult for smaller businesses to introduce standards such as ISO 27001 or those of the BSI. ISIS12, a newly developed procedure tailor-made for these businesses, enables them to take the first steps towards achieving a decent level of information security.

With the introduction of ISIS12, structures are established in the company, which are essential for ISO 27001 or BSI basic security accreditation.

Smaller businesses which introduce ISIS12 receive the ISIS12 manual, which covers the efficient design of information security systems in smaller businesses, as well as the supporting ISIS12 software tool. Appropriately trained ISIS12 service personnel supervise and support the businesses during the introduction of ISIS12.

The first client-based ISIS12 project was launched in October 2012. The intention was to minimise the risks to the business in the pilot project by introducing an ISIS12 information security management system, which is designed to optimise and monitor any process relevant to it security. Numerous other businesses are also interested in introducing an ISIS12 information security management system.



Felix Struve
ISIS12, ISA+ Informations-Security-Analysis, DGO

Tel: +49 941 - 604 889 15
felix.struve-itsec@ ]