The European Union (EU) encourages businesses to strengthen their information security and resilience through regulations such as the Network and Information Security 2 (NIS2) Directive, the Critical Entities Resilience (CER) Directive, and Digital Operational Resilience Act (DORA), with a particular focus on companies in critical infrastructures (CRITIS).

German financial market participants are subject to dual regulatory standards under NIS2 and DORA if they operate critical infrastructure facilities as well.

Companies must address recurring security requirements from everemerging regulations and continuously demonstrate compliance.

Information security and resilience must be organised as part of a management system.

With an information security management system (ISMS) in accordance with the ISO standard 27001, companies achieve legal agility and, if desired, certified security maturity.

The development of an ISMS should be managed as a project in smaller organisations, or as a program in larger organisations.

This white paper presents a certificate-proven process model for setting up and operating an ISMS.