POLYAS Election Glossary
We provide explanations and background information on elections, voting rights and digital democracy
We provide explanations and background information on elections, voting rights and digital democracy
IT risk management refers to a procedure developed by the German BSI (Ministry of Security) for corporate information technology to identify and apply safety measures.
The goal of IT risk management
IT-risk managment is meant to achieve an average, appropriate and sufficient level of protection for IT systems.
The development of IT risk management involves a detailed risk analysis. Taking a danger standard for IT systems, it is then split into three categories. Based on these, the respective safety measures and protection programs can be found in IT-risk management catalogues.
IT risk management was first established in 1994 before being thoroughly revised in 2005. Since then, the BSI has published IT security management in the IT-security management catalogues and BSI standards.
BSI-StandardsIn total there are four BSI-Standards. These standards cover the establishment of an information security management system (ISMS), IT risk management procedures and conducting risk analyses for IT systems with “high” or “very high” protection needs.
The IT Risk Management Catalogues
The IT Risk Management Catalogues contain a collection of documents which explain the running and setting up of an information security management system (ISMS). They also define, for example, the components, dangers as well as safety measures for an ISMS. With the help of an IT risk management catalogue it’s possible to identify and apply appropriate safety measures.
Procedures for setting up IT Risk Management
Setting up IT risk management involves eight steps:
The IT Risk Management Certificate
The BSI gives out a Certificate SO/IEC 27001 for the successful implementation of IT risk management with an established ISMS.
These are awarded for risk management categories one and two on the basis of self-declaration. To be awarded certification in category three, IT risk management systems need to be tested and approved by one of the BSI’s licensed, independent auditors.
See also: