Building a new Information Security Management System (ISMS) based on standards like ISO 27001, while simultaneously meeting NIS2 requirements, is a significant challenge. However, it is also a strategically vital and deeply educational task — one that I have had the privilege of navigating over the past few months. What have I learned during this time, and what would I do differently today?
The 80/20 Rule of Governance
Having spent two years in the strictly regulated banking sector (initially under BAIT, later DORA) and now tasked with establishing an ISMS in an industrial environment, my most important realization has been: It cannot always be about perfection. In most cases, pragmatism beats perfectionism.
In the implementation phase of an ISMS, it is often more effective to describe processes as they are actually lived within the company, rather than designing a fictitious ideal scenario. Honest documentation reveals real potential for improvement and is superior to "window dressing" for the sake of an audit.
This potential for improvement should feed directly into a Continuous Improvement Process (CIP) that is lived from the very beginning. By establishing the CIP as a core element of the corporate culture early on, you gain the necessary agility. It is far more productive to move into implementation quickly with a solid framework than to spend years drafting the perfect handbook. This is where "Quick Wins" come into play: small, tangible process improvements that show those involved that governance is not an end in itself, but a way to make daily work more secure and, ideally, easier.
Setting Realistic Frameworks and Resources
A decisive factor that often determines the success or failure of an ISMS is the definition of a realistic framework. A management system is not "plug and play"; it must be tailored to the scope, resources, and maturity level of the organization.
In practice, this means setting clear priorities. I advocate for the conscious courage to leave gaps. It is far more effective to secure the most critical assets and core processes with high diligence than to attempt to raise everything to a theoretical level of perfection simultaneously, only to fail due to the sheer complexity. Those who try to protect everything with the same intensity often end up protecting nothing effectively.
An ISMS is not a static project but a continuous process. Therefore, it is essential to regularly challenge the timeline and objectives through target-performance comparisons — for example, regarding milestones and resources. Only those willing to calibrate their plan against reality will create a system that exists not just on paper, but endures in the long term.
The 2nd Line as Enabler and Translator
An often-underestimated factor is the role of the 2nd Line of Defense. I view the role of the ISO or ISMS Manager primarily as that of a bridge builder and translator. This mindset helps me in daily GRC operations and was one of the biggest success factors during the ISMS build-up phase.
The first step is to integrate stakeholders as early as possible and explain the underlying "why." Acceptance is significantly higher when people understand the purpose behind their actions.
In this context, breaking down language barriers is crucial. While administrators think in terms of configurations and tickets, GRC experts look at risk matrices and compliance requirements. My job is to unite these worlds and translate regulatory requirements so that they remain operationalizable for the business. This means implementing solutions that are truly executable in daily operations while still fulfilling the requirements of standards and laws. If requirements are so complex that they block the workflow, acceptance drops or, in the worst case, provokes workarounds. Constant exchange and gathering feedback from technical departments are therefore essential to maintain the balance between security and productivity.
Lessons Learned: What I Would Do Differently
Looking back at various projects, there are aspects I would approach differently today:
- Stakeholder Ownership: It is a decisive advantage to transfer responsibilities as early as possible. Security must be championed by those who execute the processes daily.
- Evidence by Design: Today, I would integrate the generation of evidence directly into the design process of documentation and workflows. "Evidence by Design" not only reduces the stress of upcoming audits but also makes the effectiveness of measures directly measurable.
Conclusion
Even during its initial setup, an ISMS should not be understood as a rigid corset, but as a dynamic tool. It requires the courage to leave gaps and clear priorities instead of all-encompassing perfectionism. When information security is perceived as an enabler for secure business operations, the paper tiger transforms into an effective protective instrument. Ultimately, a lived 80-percent system is far more valuable for a company's resilience than 100-percent documentation that merely gathers dust in the archives.
Let's connect! If you enjoyed this article, feel free to follow me here on Medium or connect with me on LinkedIn for more insights on pragmatic Information Security and GRC.