CISIS12
A 12-step information security model designed as an accessible entry point for smaller organizations, particularly municipalities and SMEs.
CISIS12 (Common Information Security Information System in 12 Steps) is an information security framework developed specifically to give smaller and medium-sized organizations a practical, manageable path into systematic information security management. It was initially developed for German municipal administrations but has since been adopted by SMEs and other public sector bodies.
As the name suggests, the model is structured around 12 defined steps that guide an organization from assessing its current security posture through to implementing and maintaining appropriate controls. The steps cover areas including risk identification, policy creation, emergency planning, and raising security awareness. The framework is intentionally kept lean to avoid overwhelming organizations with limited resources.
CISIS12 is recognized by German authorities as a stepping stone towards more comprehensive frameworks such as BSI IT-Grundschutz or ISO 27001. For organizations subject to NIS 2 that need to demonstrate a risk-based security approach without the full weight of ISO 27001, CISIS12 offers a proportionate and achievable starting point.
Legal Basis
Developed by the Bavarian Municipal IT Association (AKDB); recognized as NIS 2-aligned approach for smaller entities
Practical Example
A small municipality with 45 employees needs to improve its information security posture to meet regional cybersecurity guidelines. Using the CISIS12 framework, the IT coordinator works through all 12 steps over six months: documenting critical assets, creating an information security policy, training staff, and establishing an emergency response plan. The structured approach makes the project manageable without requiring a dedicated information security officer.