IT security concept: structure, content and implementation
An IT security policy systematically documents all measures taken to protect information security within the organization. It serves as the foundation for an ISMS in accordance with ISO 27001 or BSI IT-Grundschutz and is a prerequisite for certification.
Table of Contents (6 sections)
An IT security policy is a structured document that describes all organizational and technical measures for protecting a company’s IT infrastructure, data, and business processes. It answers three key questions: What are we protecting?, What are we protecting it from?, and How are we protecting it?
The policy is not a one-time project, but a living document that is regularly updated. In many industries, an IT security policy is required by law—for example, by the NIS 2 Directive for critical infrastructure, the GDPR for personal data, or industry-specific requirements such as BAIT (banks) and B3S (KRITIS operators).
Distinction: IT Security Policy vs. ISMS
An IT security policy describes what is to be implemented. An Information Security Management System (ISMS) according to ISO 27001 further describes how security is continuously managed, monitored, and improved. The IT security concept is thus an essential component of an ISMS—but not the entire ISMS.
| Aspect | IT Security Concept | ISMS (ISO 27001) |
|---|---|---|
| Scope | Technical and organizational measures | Entire management system |
| Documentation | A central document with appendices | Document hierarchy (guidelines, policies, procedures) |
| Ongoing | Periodic updates | Continuous PDCA cycle |
| Certifiable | Not independently | Yes (ISO 27001, BSI IT-Grundschutz) |
| Mandatory | Often required by regulations | Voluntary, but increasingly required |
Components of an IT Security Policy
A comprehensive IT security concept consists of seven core areas:
1. Scope and Protection Goals
The scope defines which systems, locations, and processes the concept covers. The protection goals are based on the CIA triad:
- Confidentiality: Only authorized persons have access to information
- Integrity: Data is complete and unaltered
- Availability: Systems and data are accessible when needed
Depending on the industry, additional protection goals may apply: authenticity, non-repudiation, data protection, or resilience.
2. Asset Inventory
Before risks can be assessed, it must be clear what needs to be protected:
- Hardware: Servers, clients, network devices, IoT devices, mobile devices
- Software: Operating systems, applications, databases, cloud services
- Data: Customer data, financial data, intellectual property, configuration data
- Processes: Business-critical processes dependent on IT
- Personnel: Roles with privileged access, external service providers
A protection requirement is determined for each asset: normal, high, or very high. This classification according to BSI IT-Grundschutz or the assessment according to ISO 27001 Annex A determines which measures are necessary.
3. Risk Analysis and Assessment
The risk analysis identifies threats and assesses their probability of occurrence and potential severity:
Threat Categories:
- Force majeure (fire, flooding, power outage)
- Organizational deficiencies (missing processes, unclear responsibilities)
- Human error (misconfiguration, social engineering)
- Technical failure (hardware defects, software bugs)
- Intentional acts (hacking, malware, insider threats)
Assessment Matrix (Example):
| Probability of Occurrence | Low Damage | Medium Damage | High Damage | Very High Damage |
|---|---|---|---|---|
| Rare | Low | Low | Medium | Medium |
| Possible | Low | Medium | High | High |
| Probable | Medium | High | High | Very high |
| Very likely | Medium | High | Very high | Very high |
A treatment strategy is defined for each identified risk: avoid, mitigate, transfer (e.g., cyber insurance), or accept.
4. Technical Measures
The technical measures form the operational protection layer:
Network Security:
- Firewall architecture with DMZ segmentation
- Intrusion Detection/Prevention (IDS/IPS)
- VPN for remote access
- Network segmentation based on protection requirements
Endpoint protection:
- Endpoint Detection & Response (EDR)
- Disk encryption (BitLocker, FileVault)
- Application whitelisting
- Patch management with defined SLAs
Identity and access management:
- Role-based access control (RBAC)
- Multi-factor authentication (MFA) for all privileged access
- Privileged Access Management (PAM)
- Regular recertification of permissions
Data backup:
- 3-2-1 backup rule: 3 copies, 2 different media, 1 offsite
- Regular restore tests
- Encryption of backups
- Retention periods in accordance with GDPR and GoBD
Email security:
- SPF, DKIM, and DMARC configured
- Email gateway with malware scanning
- Phishing detection and quarantine
5. Organizational Measures
Technology alone is not enough—people and processes must also be addressed:
- Security policies: Password policy, clean desk policy, BYOD regulations, work-from-home policy
- Role allocation: Information Security Officer (ISO), IT management, Data Protection Officer, Executive Management
- Security Awareness: Regular training, phishing simulations, awareness campaigns
- Service provider management: Security requirements in contracts (General Terms and Conditions, SLA), regular audits
- Change Management: Approval and testing processes for IT changes
6. Emergency Management
Emergency management describes the procedure for security incidents:
- Reporting Channels: Who reports to whom? (internal and external – BSI, data protection authority, law enforcement)
- Escalation Levels: When does an event become an incident, and when does it become a crisis?
- Incident Response Playbooks: Predefined procedures for ransomware, data breaches, and account compromises
- Business Continuity: Recovery plans for business-critical systems with defined RTOs and RPOs
- Crisis Drills: At least annual tabletop exercises with management participation
7. Review and Further Development
An IT security strategy is only as good as its last update:
- Regular Audits: Internal review of measure implementation (at least annually)
- Penetration tests: Technical review by external experts
- Key metrics: Patch compliance rate, MTTR (Mean Time to Respond), number of open vulnerabilities
- Management review: Annual report to senior management with recommendations
- Ad hoc updates: Following incidents, organizational changes, or new threat landscapes
Procedure: Creating an IT Security Strategy in 6 Steps
Step 1: Initiation and Scope Definition
Senior management commissions the project and defines its scope. Without management commitment, most security projects fail due to a lack of resources.
Step 2: Inventory
Record all IT assets, document dependencies, and determine protection requirements. Tools such as asset management systems and network scanners support this phase.
Step 3: Risk Analysis
Identify threats, evaluate existing measures, and determine residual risks. The methodology is based on the selected framework (BSI 200-3 or ISO 27005).
Step 4: Action Planning
For each unacceptable risk, specific measures are defined—including the person responsible, budget, timeline, and success criteria.
Step 5: Implementation
The measures are implemented in order of priority. Quick wins (MFA activation, patch management) take precedence over long-term projects (network segmentation, SIEM implementation).
Step 6: Documentation and Review
The entire concept is documented, approved by management, and incorporated into a regular review cycle.
Regulatory Requirements
Depending on the industry and company size, different obligations apply:
| Regulation | Affected Parties | Obligation |
|---|---|---|
| GDPR Art. 32 | All companies handling personal data | Technical and organizational measures (TOMs) |
| NIS 2 Directive | Essential and important facilities (50+ employees / €10 million) | Risk management measures, reporting obligations |
| KRITIS (BSI-KritisV) | Operators of critical infrastructure | Proof of adequate IT security every 2 years |
| BAIT/MaRisk | Credit institutions | Information security management, ISB requirement |
| TISAX | Automotive suppliers | Information security according to VDA ISA |
| B3S | KRITIS operators (industry-specific) | Industry-specific security standard |
Common mistakes during creation
- No management buy-in: Without support from senior management, there is a lack of budget and enforcement power
- Too broad a scope: It’s better to start with the most critical area and expand gradually
- Technology only, no organizational measures: Firewalls don’t help against social engineering
- Created once, never updated: An outdated plan lulls those responsible into a false sense of security
- Copy-pasting from templates: Every company has unique risks—generic concepts fall short
- No drills: An emergency plan that has never been rehearsed won’t work in a real emergency
IT Security Concept and Penetration Tests
A penetration test provides valuable data for the IT security concept: It uncovers real vulnerabilities that are overlooked in a theoretical risk analysis. The results are directly incorporated into the action plan and validate protective measures already in place.
Conversely, the IT security strategy defines the scope and priorities for penetration tests: systems requiring a high level of protection are tested more frequently and more thoroughly.
Sources & References
- [1] BSI-Standard 200-2: IT-Grundschutz-Methodik - Bundesamt für Sicherheit in der Informationstechnik
- [2] ISO/IEC 27001:2022 - Informationssicherheitsmanagementsysteme - International Organization for Standardization
- [3] BSI-Standard 200-3: Risikoanalyse auf der Basis von IT-Grundschutz - Bundesamt für Sicherheit in der Informationstechnik
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. IT-Sicherheit mit über 5 Jahren Erfahrung in offensiver Sicherheitsanalyse. Leitet die Durchführung von Penetrationstests mit Spezialisierung auf Web-Applikationen, Netzwerk-Infrastruktur, Reverse Engineering und Hardware-Sicherheit. Verantwortlich für mehrere Responsible Disclosures.
