Skip to main content
Informationssicherheit / NIS2

Security concept

A security concept is the documented, comprehensive description of all technical and organisational security measures of an organisation, capturing protection requirements, risks and the resulting measures in a traceable and auditable manner.

A security concept is the central steering document of information security. It describes in a coherent way which information, systems and processes an organisation protects, what protection requirements exist for confidentiality, integrity and availability, and which technical and organisational measures (TOMs) are used to treat the identified risks. In doing so, it translates abstract security objectives into concrete, traceable and auditable specifications and forms the basis for audits, certifications and evidence required by authorities.In terms of content, a complete security concept typically covers the definition of the scope, the structural analysis of the information assets, the protection requirements assessment, a risk analysis with risk evaluation, and the catalogue of measures including responsibilities, implementation status and effectiveness monitoring. In practice it draws on established frameworks such as the BSI IT-Grundschutz, ISO/IEC 27001 or CISIS12 and is closely interlinked with the information security management system (ISMS), security policies and emergency or business continuity management.Legally and from a regulatory perspective, the security concept is becoming increasingly important: the NIS2 Directive and its national transposition require essential and important entities to have suitable, documented risk management measures, with senior management held liable for their implementation. DORA, sector-specific requirements and the demands of TISAX and certification bodies likewise presuppose a maintained, regularly updated security concept. It is not a static document but must be revised whenever there are significant changes to the IT landscape, the threat situation or the legal framework.

Legal Basis

NIS2 Directive (EU) 2022/2555, Art. 21; German BSI Act; BSI IT-Grundschutz; ISO/IEC 27001

Practical Example

A mid-sized mechanical engineering company newly falls under the NIS2 obligations due to its annual turnover and its sector. The information security officer prepares a security concept based on the BSI IT-Grundschutz: they delineate the information assets, carry out a protection requirements assessment for the production and ERP systems, and derive measures such as network segmentation, multi-factor authentication and patch management from the risk analysis. The concept is submitted to senior management for approval, documents the implementation status of each measure, and serves as the central piece of evidence in the next TISAX assessment.

FAQ

A security concept describes the scope, the information and systems to be protected, the protection requirements assessment and a risk analysis. From these, concrete technical and organisational measures with responsibilities and implementation status are derived. It usually references a framework such as the BSI IT-Grundschutz or ISO/IEC 27001.
For many organisations there is effectively an obligation: the NIS2 Directive requires essential and important entities to have documented risk management measures, and senior management is liable for their implementation. DORA, sector-specific requirements and certifications such as TISAX also presuppose a maintained security concept.
The ISMS is the management framework with processes, roles and continuous improvement, whereas the security concept is the substantive overall description of the concrete protection requirements and measures. The security concept is thus a central output and steering document within an ISMS.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

ISMS (Information Security Management System) Protection requirements analysis BSI IT-Grundschutz ISO 27001 Risk Assessment
Back to Glossary