Building an ISMS: The Practical Guide From Excel to ISO 27001

Most companies know they need to get a grip on their information security. And yet Excel sheets, scattered Word documents, and the vague feeling of "we'll deal with it eventually" still rule the day. Until the auditor knocks on the door. Or worse: a security incident turns everything upside down.

According to the IBM Cost of a Breach Report 2024, a data breach costs an average of 4.88 million US dollars. For mid-sized companies the absolute number is smaller, but the relative damage is often existential. An information security management system (ISMS) is the structured way out of this chaos, and with an automated approach you avoid Excel hell, audit panic, and liability risk.

IT security vs. information security: where many take a wrong turn

IT security protects technology: servers, networks, endpoints.

Information security protects all information, digital, on paper, or in the heads of employees. It rests on three protection goals:

• Confidentiality: only authorised people can see data. Salary data does not belong on the hallway printer.
• Integrity: data stays correct and unaltered. No silently changed contract.
• Availability: systems and data are there when you need them. No shop outage on Black Friday.

Put differently: IT security protects technology. Information security protects your business model. A data leak, an outage, or manipulated contract data hits revenue, reputation, and the personal liability of management directly.

Without a structured security concept, you are exposed to:

• Fines (GDPR: up to 20 million EUR or 4% of revenue)
• Reputation damage
• Personal liability of management (NIS2)

What is an ISMS, really?

An information security management system (ISMS) is not a tool, but a system of processes, roles, policies and measures that you use to plan, implement, monitor, and improve information security. Standards like ISO/IEC 27001 provide the structure.

Core elements of an ISMS:

• Risk-based: you steer risks instead of blindly working through checklists.
• PDCA cycle: Plan, Do, Check, Act as a built-in improvement mechanism.
• Integrated into business processes: not an IT side project, but part of the corporate strategy.
• Standards-based: for example ISO 27001, BSI IT-Grundschutz, TISAX.

Important: an ISMS is not a project with an end date, but an ongoing management process.

For executive management, an ISMS means: transparency over risks, clear responsibilities, demonstrable compliance, and resilient protection against fines, liability, and lost deals.

Who needs an ISMS, and who is liable if it is missing?

Legal obligation

• Critical infrastructure operators (KRITIS): must demonstrate an ISMS under § 8a BSIG and have it audited every two years.
• Companies in scope of NIS2: must implement comprehensive cybersecurity measures. New: the supply chain is in scope, and management can be held personally liable.
• GDPR (Art. 32): requires "appropriate technical and organisational measures". An ISMS is the cleanest way to demonstrate this.

Industry-specific requirements

• Automotive: without TISAX, no contract from OEMs.
• Financial sector: DORA, BaFin. An ISMS is de facto mandatory.
• Healthcare: highly sensitive patient data demands demonstrable structures.
• SaaS & cloud: the first question from enterprise customers is "do you have ISO 27001?"

Optional, but still worth it

From around 50 employees, an ISMS becomes a competitive factor. In tenders, due diligence, and supplier assessments, the question "how secure are you?" often decides who gets the deal.

Manual vs. automated ISMS: when Excel starts holding you back

Many companies start their ISMS with Excel and Word. That works, up to about 30 to 50 controls. After that, maintenance becomes a full-time job.

Aspect	Excel/Word	Automated ISMS
Asset inventory	Manual lists, quickly outdated	Auto-discovery from cloud and HR
Policy monitoring	Spot checks, quarterly	Continuous monitoring, real-time alerts
Audit preparation	Weeks, panic	Days, structured
Evidence	Screenshots, email folders	Automated evidence collection
Cost (internal)	~16,640 EUR/year hidden cost	Tooling cost, but 70%+ time saved

Manual compliance burns budget without actually raising your security level. You document what was true three weeks ago instead of knowing where you stand right now.

The building blocks of an effective ISMS

An effective ISMS consists of several aligned components:

• Asset management: which systems, applications, data, and providers exist?
• Policies: clear rules (passwords, access, remote work, clean desk, etc.).
• Documentation and evidence: what is not documented does not exist for the auditor.
• Roles and responsibilities: ISO/CISO, asset owners, process owners.
• Risk management: identify, assess, treat risks.
• TOMs: technical and organisational measures (firewalls, training, contingency plans, encryption).
• Internal audits: regular effectiveness checks.
• Vulnerability management: systematically close gaps in systems and processes.

The PDCA cycle: the operating system of your ISMS

The ISMS follows the proven PDCA cycle:

1. Plan: define scope, risks, goals, and measures.
2. Do: implement measures, document them, train employees.
3. Check: internal audits, KPIs, detect deviations.
4. Act: corrective measures, lessons learned, raise the maturity level.

This way, your security level grows with new threats instead of starting from scratch every three years.

Which standard fits? A quick overview

Standard	Focus	For whom?	Certification?
ISO/IEC 27001	International ISMS standard	All industries	Yes
ISO/IEC 27002	Implementation guide	Companion to ISO 27001	No
BSI IT-Grundschutz	German standard	Authorities, KRITIS, DACH	Yes
TISAX	Automotive supply chain	Suppliers	TISAX label
SOC 2	Service organisation controls	SaaS, cloud	SOC 2 report
NIST CSF	Cybersecurity framework	US-oriented	No
C5	Cloud security	Cloud providers	C5 attestation

Recommendation: start with ISO 27001 as your foundation. Industry-specific requirements (TISAX, NIS2, GDPR) can be covered efficiently via cross-mappings.

Engineering approach: how to build your ISMS pragmatically

Forget thick paper folders. A modern ISMS follows the logic of your IT infrastructure.

1. Automated discovery instead of manual inventory. Connect your cloud providers (AWS, Azure, GCP) and HR tools. Let the ISMS find the assets itself. Only what is inventoried can be protected.
2. Inheritance: policies on groups instead of individual objects. Example: "all MacBooks must have FileVault active", "all production servers need automatic patches". Defined centrally, monitored automatically.
3. Continuous compliance instead of annual audit panic. Your ISMS works like a monitoring system: open ports, orphaned accounts, overdue policy reviews, all of it becomes visible automatically.
4. Choose the scope wisely. Start with business-critical processes, then expand step by step. Nobody rolls out their ISMS across 100% of the organisation in one quarter.

What does no (or a bad) ISMS cost you?

An ISMS is often seen as a cost factor. But the opportunity cost of manual administration is the real cost driver.

Example calculation for a mid-sized company (50 employees): Without tool support, an internal admin or CISO spends about 4 hours per week maintaining lists, evidence, and policy updates.

• 4 hours x 52 weeks = 208 hours
• At an internal fully-loaded cost of 80 EUR/hour, that is 16,640 EUR of burned budget per year
• On top of that, external audit preparation costs (often 5,000 EUR+)

An automated ISMS often pays for itself in the first quarter, just from the time saved by your IT specialists. And that is only the direct cost side, not the risk side (fines, incidents, lost deals).

Your next step

Information security is not a one-off project, it is an ongoing process. An ISMS helps you steer risks systematically, meet legal requirements, and strengthen the trust of your customers.

Three concrete starting points, depending on your maturity level:

1. You have nothing yet. Start with an asset inventory and an honest risk workshop. Which data is critical, which systems must not go down, who has access?
2. You have an Excel ISMS. Do the reality check: how up to date are your lists? When was the last policy reviewed? If you have to think about it for more than two seconds, it is time for automation.
3. You have a tool but no plan. Standards are your friend. Pick ISO 27001 as your backbone and use cross-mappings to knock out TISAX, NIS2, or GDPR with the same effort.

Lay the foundation today for a secure digital future, with an ISMS that fits your company.