Twenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwideTwenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started
All officer roles
ISB / CISO

Information Security Officer (ISB / CISO)

ISO 27001:2022 ISMS ownership, NIS-2 incident reporting, KRITIS obligations. 93 controls tracked, 24-hour early-warning and 72-hour incident-notification handled, TISAX and BSI C5 delivered on request.

Focus areas
ISO 27001:2022Tool auditSOC2BSI C5
Legal basis

ISO/IEC 27001:2022 · §§ 30, 38 BSIG · NIS-2

Quick contact

Talk to us about Information Security Officer (ISB / CISO)

Three lines and you are in our inbox. We reply within one business day.

By sending you agree to our privacy notice. We use the data only to reply to you.

What is an Information Security Officer in Germany?

An external CISO Germany, also called Informationssicherheitsbeauftragter or ISB, is the designated person responsible for steering information security risk, controls and incident response. The role has shifted from a recommended best practice to a legal duty for a large segment of the German economy since the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, NIS-2-UmsuCG, entered into force on 06 December 2025. The transposed law amends the BSI-Gesetz: § 30 BSIG defines the cybersecurity risk management measures, § 32 BSIG sets the reporting duties with the 24-hour early warning, the 72-hour incident notification and the one-month final report, and § 38 BSIG requires governance involvement of the management. Two new categories apply: essential entities and important entities, with thresholds typically at 250 employees and 50 million euros turnover for essential, and 50 employees and 10 million euros turnover for important. For financial institutions, the EU Digital Operational Resilience Act, DORA, has applied since 17 January 2025 under Regulation 2022/2554, adding ICT risk management, incident reporting and third-party oversight under Art. 28. The accepted control catalogue is ISO/IEC 27001:2022 with 93 controls in Annex A; the transition deadline from ISO 27001:2013 ended on 31 October 2025 so any active certificate must now reflect the 2022 version. Fines under § 60 BSIG reach up to 10 million euros or 2 percent of global annual turnover for essential entities, and the management can be personally liable for breach of the supervisory duty.

Duties of the Information Security Officer

  • Define and maintain the information security management system mapped to ISO/IEC 27001:2022 Annex A.
  • Operate the cybersecurity risk management measures listed in § 30 Abs. 2 BSIG, from access control to supply chain security.
  • Run the incident detection, classification and reporting process within the 24-hour, 72-hour and one-month deadlines of § 32 BSIG.
  • Coordinate the DORA register of information for ICT third-party providers under Art. 28 of Regulation 2022/2554.
  • Lead the annual risk assessment, penetration test programme and tabletop exercise for the executive board.
  • Train staff on phishing, social engineering and the use of generative AI tools.
  • Maintain the business continuity and disaster recovery plan including a tested 4-hour RTO for critical systems.
  • Report quarterly to the management board on incidents, vulnerabilities and remediation status.
  • Liaise with the BSI, BaFin and external auditors during certifications and supervisory inspections.

When must an Information Security Officer be appointed?

The duty to appoint an information security officer follows from the NIS-2-UmsuCG in force since 06 December 2025 and from sector-specific regulation. § 38 BSIG obliges the management of essential and important entities to ensure that cybersecurity risk management measures are implemented and supervised, which in practice requires a named information security officer. Essential entities cover sectors such as energy, transport, banking, healthcare, drinking water, wastewater and digital infrastructure with thresholds at 250 employees and 50 million euros turnover or 43 million euros balance sheet. Important entities cover postal services, waste management, chemicals, food, manufacturing of medical devices, electronics and machinery and digital providers at thresholds of 50 employees and 10 million euros turnover. For banks and insurers, MaRisk AT 7.2 and BAIT or VAIT have required an information security officer since 2017 and 2018. DORA Art. 5 to Art. 16 since 17 January 2025 requires financial entities to assign clear ICT risk responsibilities. Public sector and critical infrastructure operators already had duties under § 8a BSIG. Mid-sized companies frequently engage an external CISO as a service to obtain BSI- and BaFin-grade competence without a full-time hire.

  • Essential entity under NIS-2-UmsuCG: 250 employees or 50 million euros turnover in scope sectors.
  • Important entity under NIS-2-UmsuCG: 50 employees or 10 million euros turnover in scope sectors.
  • Critical infrastructure operator under § 28 BSIG with sectoral thresholds defined by BSI-KritisV.
  • Financial entity under DORA: scope from 17 January 2025 for banks, insurers, investment firms and crypto-asset service providers.
  • Bank or insurer under MaRisk AT 7.2 or BAIT and VAIT: information security officer required.
  • Federal contractor processing classified information: VS-NfD or higher clearance and BSI IT-Grundschutz duties.

Typical sectors

  • Banking, insurance and investment firms under DORA and MaRisk
  • Energy, grid operators and renewables under NIS 2 essential entities
  • Hospitals, MedTech and pharmaceutical manufacturers
  • Water and wastewater utilities under § 28 BSIG
  • Logistics, freight forwarders and postal services
  • Manufacturing, machinery and automotive tier-1
  • Cloud, data centre and managed service providers
  • Public administration and federal contractors
  • Chemicals and process industry
CIVAC

How CIVAC supports your Information Security Officer

CIVAC provides an external CISO engagement plus a workspace that maps ISO/IEC 27001:2022 Annex A, § 30 BSIG risk management measures and DORA Art. 5 to Art. 28 obligations to a single evidence base. You receive a written ISMS scope, an asset and risk register, a third-party register for DORA, an incident response runbook with the 24-hour, 72-hour and one-month BSIG reporting timers and a tested business continuity plan. CIVAC operates the registration with the BSI single point of contact for essential and important entities and prepares the management board for the personal accountability under § 38 BSIG. Quarterly board reports cover KRIs, open vulnerabilities and certification status in German and English.

Frequently asked questions

Need this officer role for your organisation?

Appoint our experts as your external officer or license CIVAC for your in-house team. Get in touch and we walk you through the right setup.

Talk to CIVACSee all 25 roles
Other officer roles