Germany’s Federal Office for Information Security (BSI) is the national cybersecurity authority and charged with promoting IT security in that country. BSI is first and foremost the central IT security service provider for the federal government in Germany and also offers services to IT manufacturers as well as private and commercial users and providers of information technology.

Cyber risk management

BSI-ISA, Managing Cyber Risk (2023). A handbook for business management.

Cyber security is a matter for the boss! Secure digitization succeeds when company management develops a basic understanding of the risks in the area of information security. This is the only way for the management board or supervisory board to assess the potential economic damage caused by cyber incidents in an informed manner and to decide on the validity of IT security strategies.

The “Cyber Risk Management” handbook is aimed at company management. It provides an overview as well as recommendations for action on how to deal with and assess cyber risks. The handbook is based on the Cyber Risk Oversight Handbook, which was developed by the U.S. Internet Security Alliance (ISA) on behalf of the National Association of Corporate Directors (NACD). In workshops and in close cooperation with experts from industry, IT security research and the state, the updated version of the handbook has been translated into German and adapted to German and European conditions.

It formulates six fundamental principles that support management boards and supervisory boards in considering cyber risks:

Principle 1

Understand cyber security not only as an IT issue, but as a component of company-wide risk management.

Principle 2

Understand and examine the legal implications of cyber risks.

Principle 3

Ensure access to cyber security expertise and regular exchange

Principle 4

Ensure the implementation of appropriate framework conditions and resources for cyber risk management

Principle 5

Create a risk analysis and define risk appetite depending on business goals and strategies

Principle 6

Promote company-wide collaboration and the exchange of best practices

The handbook is supplemented by a toolbox that provides company management with methods and questions for management, including resources from the BSI for business.


The six principles at a glance, available in English and German.

One-pager (german)

One-pager (English)

The contents of the manual and toolbox are not exclusively relevant for listed companies. Medium-sized companies as well as other organizations, such as associations, chambers, etc., can also use the basic principles presented as a guideline for assessing cyber risks and dealing with them responsibly.

Principle #1