I have been qualified as a certified Information Security Officer (ISB) according to ISO 27001 since November 2025 and support companies in building and developing a standards-compliant, company-specific Information Security Management System (ISMS). This certificate confirms that I possess the necessary knowledge and skills to design and accompany an ISO-27001-compliant ISMS, including evidence documentation, according to the state of the art.
My tasks as ISB include, among others, defining information security objectives and policies, identifying and assessing risks, and deriving appropriate security measures. In addition, I accompany the implementation and ongoing operation of these measures, monitor their effectiveness, and actively promote security awareness within the organization. Another focus is the creation and maintenance of security policies and processes as well as the preparation and support of internal and external audits according to ISO 27001.
This role ideally complements my existing focus on project management and PMO: In projects, information security requirements can be considered early, risks addressed in a structured manner, and compliance requirements directly integrated into project governance. This way, I combine modern, "New Work"-oriented project work with a structured security and compliance framework that helps organizations grow sustainably and trustworthy.
Conducting an Information Security Risk Analysis (ISRA) already in project initiation to identify threats to confidentiality, integrity, and availability – e.g., document in the Project Initiation Document (PID)
Regular risk reviews at milestones, including assessment of risk appetite by the project steering committee before transitioning to the next phase.
Integration of Security Requirements
Defining clear security roles in the project team, e.g., appointing a Security Liaison for kick-off meetings and assigning responsibilities in the Project Charter
Incorporating Security-by-Design into project plans: Creating Security User Stories (Agile) or Requirements Specs (Waterfall), including controls like MFA or encryption.
Implementation and Monitoring
Accompanying the implementation of secure processes, e.g., integration into IT/digitalization projects by securing cloud services, supplier evaluations, or DevSecOps integration
Continuous testing such as vulnerability scans or pen-tests in the execution/UAT phase, as well as security go-live sign-off before project completion.
Creating a project risk register and reporting to management on the implementation of measures, including preparation for internal/external audits.
Training the project team on security awareness and documenting all security decisions for traceability.
Common risks for an Information Security Officer (ISB) in PM projects often arise from inadequate integration of ISO-27001 requirements (e.g., Control 5.8) into the project lifecycle, leading to security gaps or compliance issues.
Inadequate access controls or delayed deletion of test data, leading to data leaks or violations of NIS-2 requirements.
Security vulnerabilities due to lack of Security-by-Design, e.g., when integrating new systems, cloud services, or DevOps processes, including malware or insufficient
System outages or lack of integration with legacy systems that impair information security.
Incomplete risk analysis (ISRA) or superficial assessment, overlooking threats like phishing, social engineering, or inadequate backups.
Lack of clear responsibilities in the project team, leading to conflicts, delayed audits, or unclear implementation of measures.
Too many change requests without security review, disrupting the project plan and jeopardizing compliance.
Delays due to stakeholder conflicts or lack of resources, hindering the implementation of security measures
Fines or loss of certification due to violations of ISO 27001 or NIS-2, e.g., lack of audit readiness.
Physical threats such as theft of hardware or inadequate team training on security awareness.