The customer would like to review its information security measures and in the future also change its information security management system (ISMS) from basic protection according to BSI 100-2 to basic protection according to BSI 200-2. In order to assess the necessary efforts in detail and to obtain a general overview of the quality of the strategic information security measures, the customer would like to have an as-is analysis of the existing systems and processes carried out from the point of view of information security.
In order to achieve the project objective, above all, the currently existing inventory documentation on the processes and systems that have existed up to now and submitted by the customer will be examined and evaluated with regard to quality, up-to-dateness, completeness and appropriateness for use in the context of maintaining, managing, controlling and improving the customer's information security. For this purpose, the client provides its own documentation as well as the results of internal and external audits.
The existing ISMS system and a number of documents and protocols were evaluated for this as-is analysis. The detailed list can be found in the project SharePoint. For the evaluation of the prerequisites for the desired upgrade of the existing ISMS from BSI 100-2 to 200-2, the preliminary, newly developed process map of the customer was examined as a mandatory prerequisite for the business process-centred approach in 200-2 in contrast to the application-centred view of 100-2. To assess the completeness, timeliness and quality of the documentation of the existing ISMS, a number of individual documents and protocols were evaluated in addition to the ISMS tool. (Audit reports, action plans, guideline, meeting minutes, etc.). For the development of options and recommendations for action, the feature catalogues of a number of ISMS tools as well as the BSI's instructions for the migration of security concepts for the migration from BSI 100-X to 200-X were examined.