The ISMS Approach to Effective Cyber-Risk Management

The rapid and continuous advances in information technology are among the greatest drivers of contemporary business. As with any technological progress, however, organizations must remain vigilant in securing these innovations against misuse and failure. As a result, managing cyber risks is a key priority for all enterprises today.

Authors: Dr. Lev Streltsov and Dennis Müllerschön

The Cyber Risk Landscape

The 2025 Allianz Risk Barometer considers cyber incidents as the “most important global business risk for 2025”^[i]. The World Economic Forumranks cyber espionage and cyber warfare in the top 5 business risks for 2025^[ii], whereas the Horváth CxO Study firmly places cybersecurity within the top 3 strategic priorities^[iii]. Other WEF studies^[iv] as well as our own^[v] show that nearly one out of three companies was significantly impacted by a cyberattack within a year!

Due to the significant impact of cyber threats, cybersecurity is also a regulatory priority. In this context, emerging legal instruments such as NIS/NIS2, GDPR, DORA, CRA and others place security obligations on the private sector, making regulatory compliance a critical component of an organization’s security strategy. Moreover, the increasing reliance on digital technologies and the associated rise in risks will inevitably lead to further stringent cybersecurity laws with enforceable penalties.

Therefore, cyber risk management should be approached holistically, proactively, and with full executive commitment. As handling cyber risks is much broader than an IT department function, it is up to the leadership to lay down an organization-wide security policy with clear areas of responsibility and security objectives. Senior executives are in a unique position to oversee the full integration of security measures into the business process architecture, coordinate stakeholders effectively, and allocate the necessary resources.

In adopting this organization-wide approach, it is sensible for a company to align with an information security or cybersecurity framework. The ISO/IEC 27001 (ISMS) and the NIST Cybersecurity Framework (CSF) have the highest global recognition. Other relevant but less comprehensive frameworks include CIS Controls, industry-specific PCI DSS and SOC 2, as well as the DACH-regional BSI IT-Grundschutz and TISAX.

The most observable benefit of establishing a system of security measures is cost savings through loss reduction: the probability of security incidents is reduced, and the impact of those that take place is diminished. Another key outcome is the assurance of legal and regulatory compliance. Further effects are less tangible, but still significant, such as increased stakeholder trust and a stronger security culture in the organization.

The Advantages of ISO\IEC ISMS

In this publication, we focus on the ISO\IEC 27001 Information Security Management System (ISMS) approach. Well-established and regularly updated, its current relevance is underscored by the ability to adapt to the threat landscape, support compliance with evolving regulations, integrate with overall business management strategies, and maintain international credibility. The following table illustrates some of the advantages of ISMS over the other frameworks mentioned.

Advantage	ISO 27001 ISMS	Other Frameworks
Global Recognition	▰ Recognized worldwide, facilitating international activity. ▰ International corporations may expect ISO-certified partners.	▰ Regional frameworks (US NIST CSF, German IT-Grundschutz) and industry-specific ones (PCI DSS, SOC 2, TISAX) are crucial in their contexts. ▰ They lack strong broader recognition, limiting international or cross-industry ambitions.
Facilitating Compliance	▰ Can be aligned with most privacy or security laws due to the risk-based approach and wide selection of controls. ▰ Certifiable via an accredited body, facilitating demonstration of compliance. ▰ Allows including legal and regulatory requirements directly into the control framework.	▰ Industry-specific frameworks are designed for alignment only with industry-specific legal requirements. ▰ NIST CSF doesn’t offer a certifiable standard, rather compliance via self-assessments or third-party audits. ▰ Technically focused frameworks (e.g. CIS Controls) do not natively support integration of legal requirements.
Broad Scope	▰ Comprehensive security approach that addresses operational, technical, and human factors. ▰ Continuously adapts to change in organizational structure, technological shifts, and new threats.	▰ Industry-specific and technically focused frameworks lack a holistic risk management strategy causing gaps in coverage, inefficiencies, and threat adaptation challenges.
Management System Integration	▰ Seamlessly compatible with other ISO standards (e.g. ISO 9001 – quality management or ISO 22301 – business continuity). ▰ Enables integration of multiple management systems into a coherent, efficient framework.	▰ Technically focused frameworks are not designed for broad integration with management structures. ▰ Industry-specific frameworks are aimed for integration within sector-oriented management systems. ▰ Frameworks like NIST CSF offer integration, but not as broad and seamless as within the ISO family.

At the same time, while ISMS offers a reliable universal solution, other frameworks may be better suited to specific contexts. For instance, engagement in the US may require NIST CSF, while in Germany, IT-Grundschutz is appropriate. If a smaller organization needs a straightforward technical security improvement, CIS Controls is a viable option. The international payment card industry demands PCI DSS, and the German automotive industry – TISAX.

With that in mind, the principles and controls of most frameworks align with ISO 27001 making it reasonable to combine them – ISMS handles the broader risk approach and more specialized ones address regional or industry requirements. Ultimately, choosing the right framework depends on an organization’s business needs at a given point in time.

The ISMS Approach

The ISO/IEC 27000 family of standards is developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). They revolve around an Information Security Management System or ISMS, defined as “a system of policies, activities and resources, managed by an organization, in the pursuit of protecting its information assets”.[vi] ISO 27000 presents an overview and the terminology, ISO 27001 establishes the general ISMS requirements, ISO 27002 puts forth specific measures (controls), further standards apply to specific contexts such as industries or processes.

A key aspect of the ISMS approach is recognizing that while information has always been a valuable business asset, but in the digital age, its processing and communication are vital to operations – making any disruption a serious threat. The threats are seen through the prism of risks, “effects of uncertainty in relation to the confidentiality, integrity, and availability of information”. [vii] These risks are closely associated with information security incidents, such as data breaches, phishing attacks, malware infections, etc. To address them, the ISO standards offer a conceptually straightforward approach with the following steps.

▰ Step 1: Identification of Security Requirements

▰ Security Requirements. An organization identifies its information assets, legal obligations and other business needs. To effectively secure assets, it is essential to understand what they are and define the objectives of protective measures accordingly.

▰ Step 2: Risk Assessment

▰ Risk Acceptance Criteria. An organization establishes conditions or thresholds that determine when a risk can be tolerated (enabling prioritized resource allocation).

▰ Risk Identification. Information risks are recognized and so are the risk owners – individuals or entities with the authority and accountability to manage them.

▰ Risk Analysis. The potential consequences of each risk are assessed alongside the likelihood of occurrence, leading to the determination of the risk level.

▰ Risk Evaluation. Risks are prioritized for treatment based on their level and other relevant criteria.

▰ Step 3: Risk Treatment

▰ Risk Treatment Options. Based on the output of risk assessment and the acceptance criteria, the risks can be avoided by eliminating the triggering action, shared with other parties, objectively accepted, or reduced by applying controls^[viii].

▰ Selection of Controls. Measures that modify risk can be found in the four control categories of ISO 27002[ix]: organizational (policies, procedures, and documentation), people (from educational activities to personnel security), physical (physically securing facilities, equipment, resources, etc.;) and technical (technological network and information security measures).

▰ Risk Treatment Plan. A comprehensive strategy that outlines and prioritizes specific actions aimed at implementing the controls is formulated and subsequently implemented.

Some Success Factors

While the ISMS approach is straightforward and transparent, we would like to go over several factors that contribute to the success of an ISMS implementation.

Since ISMS is a comprehensive, organization-wide approach, it can only be effective if adopted in a top-down manner. The ISO standards explicitly underline the crucial role played by top management[x]. A key task is laying down and communicating an information security policy and objectives that are aligned with both the security requirements and the general strategy of the organization. It is equally important for senior leadership to take responsibility in overseeing the integration of the ISMS into corporate processes and ensuring the ready availability of related resources. Moreover, the executive team should be coordinating and supporting various stakeholders in their information security activities. Naturally, complete operational involvement is not required for senior executives; however, they are expected be the drivers of the ISMS corporate transformation.

ISMS is a lasting solution that excels at managing information security risks by adapting to organizational change. However, for this to take place, the system must be not only designed and implemented but also maintained and continuously improved. The fulfilment of security requirements by the controls must be monitored, and any non-conformities – met with corrective action. Internal or external shifts in context also need to be accounted for. Thus, continuous resource allocation must be acknowledged and planned for.

Another point is related to the ISMS flexibility. Apart from some mandatory controls, an organization is free to choose from over a hundred options available in ISO 27002, can modify them, or even create custom ones. Without implementation experience, this can lead to option overload, causing delays, inefficiencies or oversights. However, the effect can be mitigated by aligning with a standardized ISMS template and tailoring it to the organizational needs rather than attempting to design the ISMS from the ground up.

In addition to that, while an ISO certificate offers many advantages, it is important to anticipate that certification is a process in itself. To avoid disruptions and ensure success, organizations commonly undergo a certification readiness procedure. It usually involves progressing through gap analysis and remediation, auditor selection, internal (pre)audit and, finally, the external audit itself. Costs and timelines must be considered, especially when ISMS implementation is tied to an external requirement (e.g., compliance) with a hard deadline.

Finally, although it is possible to implement an ISMS entirely in-house, it is a complex undertaking that greatly benefits from the guidance of specialized consultants. Professionals who bring the experience of diverse implementations and maintain up-to-date industry standards can contribute to every stage of the ISMS process.

Specialists have access to relevant ISMS templates, implementation experience and a broader, outside perspective. These assets enable an effective, efficient ISMS design closely aligned with organizational needs. In terms of continuous improvement, a company that specializes in information security has a precise view of the threat landscape, staying aware of new and evolving threats and their relative severity. Lastly, a certification readiness procedure is a common specialist service.

First Steps Towards Security

Having described the overall benefits of choosing the ISMS framework and the advantages to specialist involvement, we would also like to point out several steps that any organization can take when considering an information security or cybersecurity initiative.

▰ First, it is always relevant to identify and document the key assets, as the scope of security always centers on them. This involves mapping out critical data, systems, and infrastructure that require protection together with the processes that support them.

▰ Organizations should also assess their compliance obligations: legal and regulatory requirements applicable to their industry as well as their contractual requirements. These create security goals that an organization must objectively meet.

▰ In addition to that, unless the organization is only being founded, certain security measures are already in place. Evaluating existing information security policies and practices allows to prioritize vulnerable areas, enables selection of efficient complementary measures, and creates a tangible baseline for improvement.

▰ Otherwise, as multi-department collaboration is crucial to managing diverse cyber risks, it is important to identify all the key stakeholders early on. It is also not unreasonable to set up a dedicated team responsible for developing and organizing the security measures.

▰ Most importantly, organizations must secure executive commitment, as without it implementing effective organization-wide change may simply not be possible. 

Taking these preparatory steps builds a strong foundation for your information security management and helps you make informed decisions. In addition to that, you will be better prepared to collaborate effectively with outside specialists if their expertise is needed.

---

^[i] Allianz Commercial. (2025). Allianz Risk Barometer 2025, 4.

^[ii] World Economic Forum. (2025). The Global Risks Report 2025, 8.

^[iii] Horváth. (2024). 5th Annual Horváth CxO Priorities Study, 8. Available via: https://www.horvath-partners.com/de/media-center/studien/cxo-priorities-study-2024

^[iv] World Economic Forum. (2024). Global Cybersecurity Outlook 2024, 5.

^[v] Horváth. (2024). Horváth 2023 CxO Priorities Study 2023, 36.

^[vi] International Organization for Standardization. (2018). ISO/IEC 27000:2018 Information technology — Security techniques — Information security management systems — Overview and vocabulary, 11.

^[vii] Ibid. 8.

[viii] Ibid. 15.

^[ix] International Organization for Standardization. (2022) ISO/IEC 27002:2002 — Information security, cybersecurity and privacy protection — Information security controls.

^[x] ISO. (2018). ISO/IEC 27000:2018, 11.; See also: International Organization for Standardization. (2022). ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements, 2-3.