Glossary
Everything you need to know about information security, ISMS, IT Grundschutz protection and ISO 27001.
Assets
Assets are stocks of objects that are required for a specific purpose, particularly to achieve business objectives. The English term ‘asset’ is often translated as ‘value’. In German, however, value is a term with many meanings, from the social significance of an object to its intrinsic quality. In IT-Grundschutz, the term ‘assets’ is used in the sense of ‘valuable or valuable target objects’.
Blocks
The IT-Grundschutz Compendium contains explanations of the risk situation, security requirements and further information for different procedures, components and IT systems, each of which is summarised in a module. The IT-Grundschutz Compendium has a modular structure based on the building block structure and focuses on the presentation of the essential security requirements in the building blocks. The basic structure of the IT-Grundschutz Compendium divides the building blocks into process- and system-orientated building blocks, and they are also sorted by topic into a layer model.
Basic Security
As an introduction to IT Grundschutz protection, basic protection makes it possible to carry out broad, fundamental initial protection across all business processes and specialised procedures of an institution.
CISO/ISB
The The CISO (Chief Information Security Officer) or the ISB (Information Security Officer) is responsible for planning, controlling and monitoring information security within an organisation. They develop security strategies, initiate measures to minimise risks and ensure that legal, regulatory and internal company information security requirements are met.
While the CISO typically acts at management level and is strategically orientated, the ISB is often responsible for operational implementation and coordination as part of the information security management system (ISMS).
Scope
A scope comprises the entirety of infrastructural, organisational, personnel and technical components that serve to fulfil tasks in a specific area of information processing.
Business processes
A process that generates a visible or immediate benefit (direct value creation).
ISMS
An Information Security Management System (ISMS) is the backbone of information security within your organization. It encompasses a series of processes, rules, and technologies aimed at continuously ensuring and improving the protection of data and information. An ISMS ensures that sensitive information remains secure, risks are managed, and compliance requirements are met. Certification by external auditors (e.g., according to ISO 27001, BSI IT-Grundschutz, TISAX®, SOC2) demonstrates that your company adheres to high standards in information security management.
Scope
The information network is the same as the scope. The term information network is used by the BSI instead of the term scope.
Core Security
The core protection initially focuses on the business processes and assets that are particularly at risk.
Accumulation effect
The accumulation effect describes the fact that the protection requirements of an IT system can increase if the accumulation of several (e.g. smaller) losses on an IT system can result in higher overall losses. A trigger can also be that several IT applications or a large amount of sensitive information is processed on an IT system, so that the accumulation of damage can result in higher overall damage.
Maximum principle
According to the maximum principle, the damage or the sum of the damage with the most serious effects determines the protection requirements of a business process, an application or an IT system.
Modeling
In the procedures according to IT-Grundschutz, the information network of a company or authority is modelled with the help of the building blocks from the IT-Grundschutz compendium. For this purpose, the building blocks of the IT-Grundschutz compendium in the chapter ‘Delimitation and modelling’ contain a note on which target objects it is to be applied to and which requirements may need to be observed.
Risk analysis
Risk analysis is the complete process of assessing (identifying, analysing and evaluating) and treating risks. Although according to ISO standards such as ISO 31000 and ISO 27005, risk analysis is only one step in risk assessment, the term has become established in German usage for the entire process of risk assessment and treatment, which is also used in IT-Grundschutz and is described in more detail in standard 200-3.
Risk matrix
Eine Risiko-Matrix ist ein Werkzeug zur Bewertung und Priorisierung von Risiken, indem sie die Wahrscheinlichkeit eines Risikos und dessen potenzielle Auswirkungen visualisiert. Sie hilft Organisationen, Risiken systematisch zu identifizieren, zu analysieren und geeignete Maßnahmen zur Risikominderung zu planen.
Riskanalysis
When determining the protection requirements, the protection requirements of the business processes, the processed information, the IT systems, rooms and communication connections are determined. For this purpose, the expected damage that could occur if the basic values of information security (confidentiality, integrity or availability) are compromised is considered for each application and the processed information. It is also important to realistically assess the possible consequential damage. A categorisation into the three protection requirement categories ‘normal’, “high” and ‘very high’ has proven to be effective. |
Standard Security
Standard protection essentially corresponds to the classic IT baseline protection approach of BSI Standard 100-2. With standard protection, the ISB can protect the assets and processes of an institution both comprehensively and in depth. |
Inventory analysis
In a structural analysis, the necessary information about the selected information network, the business processes, applications, IT systems, networks, rooms, buildings and connections is recorded and prepared in such a way that it supports the further steps in accordance with IT baseline protection.
Targetobject-Groups
Target objects are parts of the information network to which one or more building blocks from the IT-Grundschutz compendium can be assigned as part of the modelling. Target objects can be physical objects, e.g. IT systems. However, target objects are often logical objects, such as organisational units, applications or the entire information network.
BSI
BSI stands for Bundesamt für Sicherheit in der Informationstechnik.
It is the central government agency in Germany for Cyber and Information Security. Among other things, the BSI develops standards such as IT Grundschutz protection, advises authorities and companies on protecting their IT systems and warns of security vulnerabilities and cyber attacks.
In short: the BSI is the German specialised authority for information security.
Do you have more questions about ISMS?
Under Knowledge you will find many further blogs on the topic of ISMS. You will find specific standards and news from the field of information security.
Lesen Sie zum Beispiel unseren Blog zum Thema ISMSto delve deeper into the topic. do you have more questions on the subject of ISMS?
fuentis Suite 4
- Transparente Preise & Funktionen
- Faster to certification
- Automated risk management
- All-round support from experts
- Made in Germany: GDPR compliant solution, developed and hosted in Germany.