77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
Order ISB: Obligation, suitability, appointment certificate and cost framework
IT Security & NIS-2

Order ISB: Obligation, suitability, appointment certificate and cost framework

11 June 202613 min readBy Lena Vogt
CIVAC

Ordering an ISB has been mandatory for around 29,500 companies in Germany since the NIS 2 Implementation Act came into force. This article explains suitability, scope of tasks, appointment certificate, reporting line and realistic cost framework for internal and external orders.

The German NIS 2 Implementation Act obliges around 29,500 companies to appoint an information security officer and inform management about cybersecurity risk management. In addition, there are industry regulations such as BSI-Grundschutz, ISO/IEC 27001:2022, KRITIS regulations and the banking supervisory BAIT/VAIT framework, which each require a comparable role.

Anyone who wants to appoint an ISB is faced with six questions: Who is actually obliged, what suitability does the person have to prove, which tasks are included in the scope of the order, what does a verifiable appointment certificate look like, who does the person report to role, and is an internal or external order more economical? This article answers the six questions along the relevant paragraphs and provides a template that will withstand the relevant supervision.

Key Takeaways

  • The ISB appointment must be made in text form with a clear scope of tasks, a documented reporting line to management and demonstrable suitability.
  • External ISB appointments are permitted according to Section 30 NIS2UmsuCG and typically cost 40 to 60 percent of an internal full-time position.
  • Management is personally liable for failures in cybersecurity risk management, an appointed ISB role reduces this risk but does not eliminate it.

Anyone who has to order an ISB in Germany

The obligation to order arises from several parallel legal sources. Firstly, the NIS 2 Implementation Act: Essential and important institutions must introduce risk management measures and appoint a responsible person to operate the BSI reporting system. The thresholds are 50 employees and 10 million euros in annual turnover for most sectors. There are also sectoral thresholds, for example for digital infrastructure, management of ICT services, public administration, banking, health and energy.

Secondly, ISO/IEC 27001:2022. Anyone who operates or aims to operate a certified ISMS requires a responsible person according to Control A.5.1, A.5.2 and A.5.3. Thirdly, sector-specific requirements, such as BAIT for banks, VAIT for insurers, KRITIS regulation for operators of critical systems, KAIT for capital management companies. Fourthly, public procurement law, in which clients are increasingly demanding a named information security officer in tenders. An overview of the role: external information security officer.

Suitability: What knowledge the person must demonstrate

The suitability of an ISB is not regulated by a single certificate, but by demonstrable expertise in four areas. Firstly, regulatory knowledge: NIS-2, BSI law, ISO/IEC 27001:2022, if necessary KRITIS, BAIT, VAIT, TISAX and industry-relevant special laws. Secondly, technical knowledge: network security, identity and access management, cryptography, logging, incident response, cloud security and resilience. Third, organisational knowledge: risk management, supplier control, training, awareness and communication with management and supervision.

Fourth, experience: At least two to three completed ISMS implementations or comparable mandates. Common certificates as proof are ISO 27001 Lead Auditor, ISO 27001 Lead Implementer, BSI-Grundschutz-Praktiker, CISM or CISSP. A certificate does not replace experience. The documented requirement for further training is important. CIVAC maintains a training file with hours and topics for each role ordered, so that suitability can be proven during an audit visit. The appointment certificate, signed, filed, verifiable.

Area of ​​responsibility: What should be in the order

A precisely formulated scope of tasks protects both sides. In practice, eight tasks are standard. (1) Setup and maintenance of the information security management system according to ISO/IEC 27001:2022 with all 93 controls. (2) Creation and annual updating of the IT security guidelines. (3) Risk analysis according to recognised methodology, with documented acceptance by management. (4) Control of emergency management including tabletop exercises.

(5) Operation of the NIS-2 reporting path to the BSI with 24-hour early warning and 72-hour follow-up reporting. (6) Training and awareness for all employees, with proof of participation per person. (7) Supplier and cloud control in accordance with Art. 28 GDPR for personal data and in accordance with Annex A.5.19 to A.5.23 of ISO/IEC 27001:2022 for security-relevant service providers. (8) Reporting to the management at least quarterly and to the supervisory board or advisory board at least annually. In the CIVAC workspace, these eight tasks are pre-assigned as building blocks and can be individually adapted.

The appointment certificate: mandatory content and form

A verifiable appointment certificate contains eight mandatory contents. (1) Name of the responsible body and the legal basis, such as the NIS 2 Implementation Act, ISO/IEC 27001:2022 and, if applicable, sectoral regulation. (2) Name and function of the person appointed, in the case of external orders, the representing contractual partner and the representation regulations. (3) Complete list of tasks, ideally structured according to the eight standard tasks. (4) Reporting line to management with frequency and escalation path.

(5) Resource commitment in person-days per month or year and in budget for external audits and tools. (6) Protection against discrimination due to the performance of the function, analogous to Section 6(4) BDSG for data protection officers. (7) Duration of the appointment, notice period and handover obligations at the end of the mandate. (8) Date and signature of the management. The certificate is archived with a version history. A sample template is part of the 37 ready-to-use CIVACaudit templatesand can be issued within two working days. The auditor calls, the evidence is ready.

Reporting line and independence

The ISB role is only effective with a direct reporting line to management. A suspension under the IT management creates a structural conflict of interest: the ISB would have to evaluate the actions of the person who leads it. NIS-2 explicitly requires that senior management itself be trained and informed about cybersecurity risk management. Anyone who places the ISB three levels below the management formally meets this requirement, but risks proof of effectiveness.

The typical reporting frequency in medium-sized companies: monthly status report to the IT management, quarterly report to the management, annual report to the advisory board or supervisory board. In the event of security incidents that require reporting, please contact management immediately. External ISB mandates receive the same reporting access as internal roles and document every meeting in the workspace. The dual models: Licence the workspace for your internal representatives, or have our representatives order it. In both cases, the report documentation is available for auditing.

Order internally or externally: economics and risk

An internal full-time ISB position in Germany costs 85,000 to 120,000 euros gross per year, plus social costs, training budget and tools. Realistic full cost rate: 130,000 to 160,000 euros per year. There is also the recruitment risk: ISB positions in Germany remain unfilled for an average of five to nine months. An external order usually fulfils the same obligation at 55,000 to 95,000 euros per year, depending on the size of the company, complexity and desired audit support.

The external order is economically clear for medium-sized companies with between 50 and 800 employees. For very large corporations or highly regulated sectors, a hybrid solution may make sense: an internal ISB supported by an external platform with templates, audit support and emergency backup. CIVAC delivers the external order via an appointment certificate within two working days, with representation regulations, liability coverage and a directly available NIS-2 24/72 reporting path. Others run compliance like a filing cabinet. We run it like software. More information about the NIS 2 situation: NIS 2 implementation Germany 2026.

Interface to the data protection officer

ISB and data protection officer overlap in three points: technical and organisational measures in accordance with Art. 32 GDPR, the 72-hour reporting of data breaches in accordance with Art. 33 GDPR and the assessment of new IT systems as part of a data protection impact assessment in accordance with Art. 35 GDPR. If a data breach is also a reportable security incident according to NIS-2, both deadlines run parallel. 72 hours GDPR from knowledge of the data breach, 24 hours NIS-2 early warning and 72 hours NIS-2 follow-up notification from knowledge of the security incident.

The clean solution is a common incident pipeline that the ISB and data protection officer access from their roles. If you order both roles externally, you should not bundle them in one person, but in a team with separate appointment certificates and a shared workspace. Section 38(6) BDSG only allows the compatibility of both roles in one person if there is no conflict of interest. In practice, a separation of personnel is cleaner. CIVAC orders both roles from the same Officer-as-a-Service pool and shares an evidence layer with separate accesses. Audit-proof, documented, § 130 OWiG-proof.

An ISB order expires in ten working days

Working day 1: Scoping discussion, clarification of NIS 2 status, sectoral obligations, ISMS maturity level and budget framework. Working day 2 to 3: Selection of the appointed person including representation, comparison of proof of suitability, dispatch of the appointment certificate for internal review. Working days 4 to 5: Signature by management, publication in the internal directory, setting up the reporting line and the central contact address for supervision.

Working days 6 to 7: Inventory inventory. Which risk analysis is available, which incidents have been reported, which TOMs are documented, which supplier contracts contain security requirements? Working day 8 to 10: Setting up the reporting path, first tabletop exercise and kickoff of the 90-day plan. The industry standard is four to eight weeks because templates and people are first sought. With the CIVAC Workspace and the Officer-as-a-Service variant, the order is completed in ten working days, the appointment certificate is signed, filed and verifiable.

Turn reading into an assignment

If you need to order an ISB, you have three options: build it internally, order it externally or work hybrid. All three methods fulfil the legal obligation if the appointment certificate is clearly issued, the reporting line to management is documented and the reporting path to the BSI is tested. The question is not which path is formally correct, but rather which path will achieve an auditable status in your company the fastest.

CIVAC is a German Compliance Platform and Officer-as-a-Service with EU data residency and ISO/IEC 27001:2022 ISMS. Licence the workspace for your internal representatives, or have our representatives order it. The appointment certificate is available in two working days, the NIS 2 reporting path is available from day one, and the 490 audit templates noticeably shorten the first 90 days. Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de for a 30-minute scoping discussion.

FAQ

Which companies will have to order an ISB in 2026?

In particular, essential and important facilities according to NIS-2, operators of critical systems according to the KRITIS regulation, banks and insurers according to BAIT and VAIT as well as organisations with certified ISMS according to ISO/IEC 27001:2022 are obliged. The threshold for most sectors is 50 employees and an annual turnover of 10 million euros.

What suitability does an ISB have to demonstrate?

The person requires regulatory, technical and organisational knowledge as well as experience from at least two completed ISMS implementations. Common documents include ISO 27001 Lead Auditor or Lead Implementer, BSI-Grundschutz practitioner, CISM or CISSP. A documented training file supplements the certificates.

What must be stated in the ISB appointment certificate?

Legal basis, name of the appointed person, catalogue of tasks, reporting line to management, commitment of resources, protection against discrimination, length of appointment, notice period and date and signature of the management. For external orders, the contractual partner and the representation regulations are also included.

Can the ISB also be a data protection officer?

A personal union is legally possible, but rarely advisable. Section 38(6) BDSG only prohibits a dual role in the event of a specific conflict of interest. In practice, a separation of personnel with a common incident pipeline is the cleaner solution, especially in NIS 2-relevant sectors.

How much does an external ISB cost in medium-sized businesses?

Realistic annual fees are between 55,000 and 95,000 euros, depending on company size, sector, ISMS maturity level and desired audit support. Compared to an internal full-time position with full costs of 130,000 to 160,000 euros, the external variant saves 40 to 60 percent.

How quickly does an ISB order take effect?

If the template is available and the person is selected, the order will be issued in two working days. The complete operational status with reporting path, risk analysis and reporting cycle can be achieved in medium-sized companies in ten working days, provided workspace and templates are available.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles