POLYAS Election Glossary

We provide explanations and background information on elections, voting rights and digital democracy

IT Risk Management

IT risk management refers to a procedure developed by the German BSI (Ministry of Security) for corporate information technology to identify and apply safety measures. 

The goal of IT risk management 
IT-risk managment is meant to achieve an average, appropriate and sufficient level of protection for IT systems. 

The development of IT risk management involves a detailed risk analysis. Taking a danger standard for IT systems, it is then split into three categories. Based on these, the respective safety measures and protection programs can be found in  IT-risk management catalogues

IT risk management was first established in 1994 before being thoroughly revised in 2005. Since then, the BSI has published IT security management in the IT-security management catalogues and BSI standards. 

In total there are four BSI-Standards. These standards cover the establishment of an information security management system (ISMS), IT risk management procedures and conducting risk analyses for IT systems with "high" or "very high" protection needs.  

  • BSI-Standard 100-1 describes various ways of managing information security systems
  • BSI-Standard 100-2 describes the procedures of IT risk management 
  • BSI-Standard 100-3 describes risk analyses on the grounds of IT risk management 
  • BSI-Standard 100-4  describes what to do in case of emergency 

The IT Risk Management Catalogues 
The IT Risk Management Catalogues contain a collection of documents which explain the running and setting up of an information security management system (ISMS).  They also define, for example, the components, dangers as well as safety measures for an ISMS.  With the help of an IT risk management catalogue it's possible to identify and apply appropriate safety measures.

Procedures for setting up IT Risk Management
Setting up IT risk management involves eight steps:

  1. Defining the information network 
  2. Running an IT structure analysis
  3. Establishing protection needs
  4. Designing IT risk management 
  5. Running a base security check 
  6. Running an overall security analysis (potentially with an added risk analysis)
  7. Consolidating the security measures 
  8. Implementing IT risk management security measures 

The IT Risk Management Certificate 
The BSI gives out a Certificate SO/IEC 27001 for the successful implementation of IT risk management with an established ISMS.
These are awarded for risk management categories one and two on the basis of self-declaration. To be awarded certification in category three, IT risk management systems need to be tested and approved by one of the BSI's licensed, independent auditors.

See also: IT Security, Backups, Data Security, Federal Ministry for security information technology (BSI)

< Go back