The creation of security concepts is an elaborate process and requires not only technical but also comprehensive methodological prior knowledge of the IT Basic Protection of the Federal Office for Information Security (BSI). For many areas, however, this procedure is too elaborate and complicated. RS7 - a lean information security management system (ISMS) - offers an efficient preliminary step to basic protection.

Our society is increasingly dependent on information. If certain data has been accidentally or intentionally deleted, manipulated or disclosed, this can have significant consequences for individuals, companies and public authorities. To adequately and comprehensively protect sensitive information, a systematic approach is essential. To this end, the German Federal Office for Information Security (BSI) has drafted the IT Basic Protection (IT-Grundschutz), which aims to secure defined information networks. Its application is mandatory for federal authorities.

RS7: The simple ISMS

Anyone who is currently implementing or planning a security concept in accordance with the IT Basic Protection is familiar with the problem: The BSI's creation procedure is solid and reliable, but at the same time it is lengthy and so complex that external support is frequently necessary.

As a lean and simple information security management system (ISMS), RS7 is aimed at all those for whom an application of the IT Basic Protection is not yet required. These are, for example, municipalities, those responsible for individual IT processes or work areas that want to quickly secure ongoing business processes without having to go through the complex approach of the IT Basic Protection. Other potential users include larger SMEs, associations or organizations similar to public authorities that are not obligated to comply with the IT Basic Protection but want to achieve rapid security gains with a tried-and-tested procedure.

Certification in seven steps

RS7 offers an easy-to-understand procedure in seven steps with explanations and templates for documentation. The system has a modular structure in order to map the organizational and technical conditions on site as realistically as necessary and as abstractly as possible. On this basis, necessary measures can be identified and implemented without delay, so that a noticeable increase in information security can be achieved with little effort.

• The first step, “kick-off”, is the starting signal for the RS7 process: In a structured meeting with all relevant stakeholders, the users explicitly define which business process and which information network they want to protect.
• In the second step, the organization creates rough starting conditions: The management level provides the required resources, designates roles and standardizes IT service processes.
• Unusually early in the RS7 process, in step three, comes the sensitization of employees: Attentive team members who can recognize and deal with anomalies and contact the right people bring a considerable increase in security.
• The critical data is then identified: Which information is so important for the business process that it must not be lost, changed or disclosed?
• Step five derives protection objects from this previously defined critical data, on which the data is processed or stored.
• For these protection objects, specific safety measures are derived in the next step according to the RS7 measures catalog.
• In optional step seven, a certificate follows.

A specially developed tool accompanies the implementation of RS7. It supports all steps with explanations, examples and tools so that the entire process can be tracked and managed.

The big advantage of RS7?

The process is fast, simple, inexpensive and effective in designing basic security. However, RS7 does not achieve the level of protection that the IT Basic Protection provides. The achievable RS7 certificate is not an ISO 27000 certificate. On the other hand, the concept is highly compatible with the IT Basic Protection of the BSI: The documents generated in the RS7 tool are BSI-compliant, can be used directly and the generated security concept can be upgraded to IT Basic Protection level without significant additional effort.

With RS7, security is also not a project, but a process. Once the seven steps have been completed, at least the environment has changed, possibly the network to be protected has evolved, but the relevant risks have certainly changed. At this point, the security concept according to RS7 can be updated with a second run - or it can be seamlessly switched to the IT Basic Protection.

RS7 is not intended to be an alternative to the IT Basic Protection, but offers a convenient introduction to the complex topic of information security as a preliminary step. Important and sensitive data can be protected against unspecific threats quickly and with a low use of resources.