What is CISIS12®?

CISIS12 is an Information Security Management System (ISMS), which is developed, published, trained and distributed by the IT-Security and safety Cluster. It is the result of a ten year development period. CISIS12 is based on the experiences accumulated from the previous versions. The managementsystem is structured simple and comprehensible, even for newcomers it is easily understandable and logical to use. Results can be generated very quickly, which are well suited for a stable and robust management system to be brought to life in a relatively short time.

CISIS12 stands for Compliance and Informationsecurity in twelve steps. The framework enables organisations to roll out information security processes both horizontally and vertically. It is designed to be scalable and helps to set up and maintain an understandable, accepted and appropriate security structure in KMO.

Further development of the previous versions ISIS12 1.9 and ISIS12 2.0. CISIS12®-focuses on Riskmanagement:

  • Compliance and related processes
  • Structured structure: Standard, catalog of measures, audit scheme
  • References to relevant standards and catalogues oft measures from BSI-IT-Grundschutz and ISO/IEC 27001
  • Integration possibilities of industry-specific standards and catalogues, such as TISAX, B3S-KRITIS
  • Supplemented by: Manual, training concept
  • Software with project management, DSGVO module, document control

Renaming from ISIS12 to CISIS12®

Launch of ISIS12 V3 => new name CISIS12 (Compliance InformationsSIcherheitsmanagementSystem in 12 steps)

Reasons for the renaming

– Stronger addressing to the management level

– The topic of compliance is therefore is being brought more to the foreground

– For marketing reasons


We strongly recommend the use of a supporting software for CISIS12®. We have therefore contracted with various software manufacturers for the use of ISIS12/CISIS12®. You can currently find these under the Software section of the ISIS12 website.

The following information on the individual solutions comes from the self-descriptions of the providers. We endeavour to provide a list as complete as possible. However, we can neither express a recommendation nor currently provide information on the specific functions in each case. We therefore ask the consultants to contact the software companies in each case.

Who consults CISIS12?

Consultants are trained and recertified exclusively through the IT security cluster. They are appointed, confirmed and recertified in their role as consultants. To become a consultant, the following requirements apply:

  • Certification as ISO/IEC 27001-Auditor or as IT baseline auditor, OR
  • At least 5 years of relevant professional experience in the field of IT, of which at least 4 years must have been in the field of information security, OR
  • Completed studies in the field of IT and/or information security + at least 4 years work experience in the field of information security.

The information is obtained via a questionnaire/self-disclosure and is reviewed by an expert panel of the IT security cluster. If one of the three requirements is met, a five-day course on CISIS12 must be attended. This concludes with a 90-minute exam (online) at the ICO (Multiple Choice, closed book). If the exam is passed, the the board/managing director of the IT Security Cluster gives a certificate and a consultant role.

If there is a valid ICO-Advisor certificate, it must be upgraded for the consulting of CISIS12. For this purpose, a two-day training course is attended at Cluster. This concludes with a 60-minute exam (multiple choice, closed book) at the ICO. If this is passed and the consultant commits to attending three further training workshops per year, the CISIS12-Consultant role will be granted by the managing directorship/CEO of the IT security cluster.

CISIS12® in your software solution

Software companies can contact at any time Nicole Eckl, Nicole.Eckl[ -/ @ -/ ]it-sicherheitscluster.de.

Preliminary information: In order to integrate the CISIS12® catalogues into software or to programme CISIS12® software, a software licence agreement between the software company and the IT security cluster is required. Without this, CISIS12® information and processes may not be used in software.


Audit & Certification

Audit und Certification:

  • Confirms conformity to CISIS12® standard
  • Minimizes the liability risks of an organization
  • Can lead to audit in approx. 12 months
  • provides the best prerequisites for further development in the direction of ISO 27001