Informationssicherheitsbeauftragter (ISB)

The Information Security Officer (ISO)—often referred to in English-speaking countries as the Information Security Officer (ISO) or Chief Information Security Officer (CISO)—plays a central role in establishing, operating, and continuously improving information security management within a company or government agency. They serve as the point of contact for all security-related issues, act as the interface between technology and management, and are required by law in a growing number of organizations.

Definition and Distinctions

The ISB is responsible for the confidentiality, integrity, and availability (CIA triad) of all an organization’s information assets—regardless of whether the information is digital or physical.

Important distinctions:

ISB vs. Data Protection Officer (DPO): The DPO protects personal data in accordance with the GDPR. The ISB protects all corporate information from a security perspective. In small companies, both roles may be combined in a single person, but they should be separated in the long term.
ISB vs. IT Manager: The IT Manager is responsible for the operation of the IT infrastructure. The ISB monitors and manages security—and must also be able to critically evaluate IT operations. Combining these roles is problematic due to conflicts of interest.
ISB vs. CISO: In larger organizations, the CISO assumes a more strategic role with a direct reporting line to senior management. In medium-sized companies, the ISB and CISO are often the same person.

Responsibilities of the ISB

ISMS Management

The ISB is primarily responsible for establishing and operating the Information Security Management System (ISMS). They define the scope, select the underlying framework (ISO 27001, BSI IT-Grundschutz, or both), develop the information security policy, and monitor compliance.

Risk Analysis and Mitigation

Regular risk analyses form the core of the ISB’s mandate: identifying threats, assessing the probability of occurrence and potential damage, prioritizing measures, and tracking their implementation. In doing so, the ISB works closely with the business departments.

Policies and Security Concepts

The ISB creates and maintains the entire policy framework: password policy, access rights concept, mobile device policy, clean desk policy, incident response plan, and others. It ensures that all policies are up-to-date, practical, and communicated.

Internal Audits and Controls

At least once a year, the ISB conducts internal audits to verify the effectiveness of the ISMS. The results are incorporated into the management review and form the basis for continuous improvement (PDCA cycle).

Training and Security Awareness

People are the most common point of entry for attackers. The ISB designs training programs tailored to specific target groups—ranging from phishing simulations to executive briefings.

Incident Management

In the event of security incidents, the ISB coordinates the response, documents the incident, and ensures compliance with reporting obligations (e.g., under NIS-2: initial reporting to the competent authority within 24 hours).

Compliance and Regulation

The ISB monitors the legal landscape and derives implications for the ISMS: new legal requirements (NIS-2, DORA, §8a BSIG), industry-specific standards (B3S Health, MaRisk), and technical requirements (BSI Basic Protection Modules).

Qualification Requirements

Recognized Certifications

Certification	Issuer	Focus
ISO 27001 Lead Implementer	PECB, BSI Group	ISMS establishment and operation
ISO 27001 Lead Auditor	PECB, BSI Group	ISMS auditing
BSI IT-Grundschutz Consultant	BSI	German IT-Grundschutz standard
CISSP	ISC²	Broad security knowledge (experienced)
CISM	ISACA	Security management and strategy
Information Security Officer (TÜV/DEKRA)	TÜV Süd, DEKRA	Practical ISB training

Technical Requirements

Knowledge of ISO 27001 / BSI IT-Grundschutz
Understanding of IT infrastructure, networks, and applications
Knowledge of relevant legal frameworks (GDPR, BSIG, NIS-2, industry-specific)
Experience in risk analysis and project management

Personal Competencies

Strong communication skills at the management and technical levels
Analytical thinking and sound judgment in complex situations
Assertiveness and independence vis-à-vis other departments
Willingness to engage in continuous professional development

Internal ISB vs. External ISB

Feature	Internal ISB	External ISB
Cost	€90,000–€150,000/year (all-inclusive)	€1,500–€5,000/month (retainer)
Availability	Full-time on-site	As needed, remote-capable
Onboarding period	6–12 months	Operational immediately
Knowledge Base	Single company	Multiple clients, broad experience
Up-to-Date	Depends on personal initiative	Continuously updated due to client diversity
Independence	Internal dependencies possible	Neutral and unbiased
Scalability	Rigid	Flexibly adaptable
Risk of Absence	Illness/resignation	Service provider provides replacement
BSI Recommendation	Plan for at least 0.5 FTE	Full task fulfillment possible

For small and medium-sized enterprises, the external ISB is usually the more economically sensible decision: lower fixed costs, immediate availability of top qualifications, and no dependence on a single person.

When is the ISB a legal requirement?

NIS-2 Directive (effective October 2024)

The EU NIS-2 Directive (implemented in Germany by the NIS2UmsuCG) requires critical and particularly critical infrastructure operators to designate a person responsible for cybersecurity. Affected sectors: energy, transportation, banking, healthcare, drinking water, digital infrastructure, public administration, and others. Management is personally liable for compliance.

BSIG §8a (KRITIS operators)

Operators of critical infrastructure under §2(10) BSIG must demonstrate to the BSI every two years that appropriate technical and organizational measures have been taken—which is effectively impossible without a qualified ISB and a documented ISMS.

ISO 27001 Certification

Section 5.3 of ISO 27001:2022 mandates the explicit assignment of responsibilities for information security. Certification cannot be achieved without a designated ISB (or equivalent role).

Industry-Specific Requirements

Healthcare: Section 75c of the German Social Code, Book V (SGB V) requires hospitals to implement state-of-the-art IT security measures
Financial Sector: MaRisk (BaFin) and DORA require documented IT risk management
Public Administration: BSI Basic Protection is mandatory for federal agencies

The ISB in the ISMS Context

The ISMS operates according to the PDCA cycle (Plan-Do-Check-Act), and the ISB is the driving force behind each phase:

Plan: Risk analysis, planning of measures, development of guidelines
Do: Implementation of measures, training, operational security work
Check: Internal audits, key metric collection, incident analysis
Act: Management review, improvement measures, ISMS further development

Practical Tip: Getting Started in the ISB Role

If you are appointing an ISB in your company for the first time—whether internal or external—the following approach is recommended:

Gap Analysis: Assessment of the current security level against ISO 27001 or BSI IT-Grundschutz
Scope Definition: Determining which areas and systems are covered by the ISMS
Risk Analysis: Identification of key threat scenarios and protection requirements
Guideline: Adoption of an information security policy by senior management
Quick Wins: Implementation of the most critical measures with low effort and high impact
Continuous Improvement: Establish a PDCA cycle, plan audits

Further information: External ISB from AWARE7 GmbH