External information security officer (ISO): tasks, benefits & services

What does an external information security officer (ISO) do?

An External Information Security Officer (ISO) is an individual or legal entity engaged by a company to monitor and coordinate its IT security strategy and related measures – without being an in‑house employee.

The ISO’s responsibilities include ensuring proper safeguards for IT systems and corporate data. “External” signifies that this person acts as an independent service provider, not a staff member.

Is it mandatory for companies to appoint an ISO?

In Germany, there is no general legal obligation for companies to appoint an ISO. However, the BSI Act (BSIG) regulates companies that fall under the definition of critical infrastructure (KRITIS). According to Section 8a of the BSIG, KRITIS operators must take appropriate technical and organisational measures to prevent disruption to their IT equipment.

To fulfil this requirement, various information security standards exist, some of which are sector-specific. Examples include ISO/IEC 27001, BSI baseline protection and TISAX. As these standards stipulate the appointment of an ISO, KRITIS operators are effectively required to appoint one.

What are the advantages of having an external ISO within a company?

The main advantages are that they are qualified, neutral and cost-effective for the appointing company. Although there are no legally regulated criteria for training as an IT security officer, they must have extensive expertise in IT security.

As well as having in-depth knowledge of IT systems, network technologies, software and hardware architecture, they must also be familiar with all relevant industry security standards and laws. Given the interdisciplinary nature of the role, extensive practical experience is generally required.

In addition to technical expertise, an IT security officer (ISO) should also possess the necessary soft skills, such as assertiveness and excellent communication skills, to ensure that employees comply with IT security measures at an individual level. Maintaining neutrality is a balancing act for the IT security officer, especially in personal dealings.

To provide objective risk and security measure assessments, the ISO must act independently. Internal conflicts of interest can compromise the impartial fulfilment of tasks. In this respect, an external ISO can contribute their professional expertise, free from internal company interests.

For many companies, appointing an external ISO is also significantly more cost-efficient than training and assigning in-house employees. Training and fulfilling tasks uses up human resources and can disrupt internal processes. Appointing an internal ISO is also much less secure as this role becomes unavailable upon cancellation and must be replaced at considerable expense.

At a glance: Internal or external ISO?

What are the responsibilities of an external information security officer?

On a day-to-day basis, an external ISO performs a wide range of tasks, essentially including:

Advising and reporting to the management

The external ISO acts as an intermediary between management, users, and IT support. They ensure that problems and solutions are communicated smoothly between all parties and report regularly to management.

Carrying out risk analyses

The core tasks of the external ISO include regularly evaluating risks and identifying company-specific weaknesses in information security. To accomplish this, they must monitor all security-relevant assets and periodically assess potential threats.

Creation and maintenance of security guidelines

The external ISO defines an organisation's security objectives and translates these into security guidelines. To guarantee the company's security level, these guidelines must always be kept up to date.

Employee training

Training and raising awareness of information security issues among employees is also part of the external ISO's remit.

Monitoring

The external ISO is responsible for monitoring compliance with information security standards and legal requirements. Any deficiencies must be reported to management immediately and rectified by means of appropriate measures.

Responding to security incidents

The external ISO is the main point of contact for coordinating and processing information security incidents. This includes responding to and preventing threats.

What is the difference between an ISO, an IT security officer and a CISO?

Although the terms are often used interchangeably, in theory, their roles differ in certain subtle ways.

An ISO is responsible for protecting all company information. To this end, they carry out day-to-day practical tasks to ensure the technical implementation of information security measures.

A CISO, on the other hand, tends to act at a higher level, primarily taking on strategic tasks and communicating with management. In small to medium-sized companies in particular, the roles of the CISO and the ISO often overlap. However, in larger companies with an international focus and group structures, it often makes sense to differentiate between strategic and operational roles to avoid overloading the ISO.

This role should be distinguished from that of the IT security officer. This person is specifically responsible for protecting IT systems and the data stored in them, as well as for the strategic implementation of IT systems. Compared to the ISO and CISO, the IT security officer focuses more on protecting IT systems. In practice, these activities often overlap with the ISO's remit.

ISiCO provides these services through an external information security officer.

• We develop and implement security strategies that take into account your company's specific requirements and risks. We define security policies and procedures to prevent data loss and security breaches.
• We establish, expand and maintain the information security management system (ISMS) to ensure that it meets your company's current requirements and is continuously improved.
• We regularly review and evaluate the processes and measures described in the ISMS to ensure they meet your company's security objectives. Adjustments are made where necessary.
• We conduct risk management, assessing potential security risks and their impact on the company. Based on this analysis, risk mitigation and control measures are developed.
• Crisis management in the event of a security incident. The company's response is organised, the incident is investigated, and recovery measures are coordinated and communicated to relevant stakeholders to minimise damage to the company.
• All employees are trained and sensitised to security risks and the relevant procedures and best practices.
• Provide management with regular updates on the status of information security in the company, identifying potential risks and recommending security measures.
• Maintain external communication with partners, authorities and other relevant stakeholders on all information security issues. Coordinate security audits and certification processes and support companies in strengthening their information security.

Frequently asked questions about external ISO.

Which industries would benefit most from an external information security officer?

In principle, an external ISO can benefit companies in all industries and sectors. Companies that fall under the KRITIS regulation, in particular, can protect themselves by appointing an external ISO. Companies involved in digitalisation can also benefit from the expertise of external ISOs. The size and complexity of data flows should also be considered: larger companies with high data volumes (e.g. from suppliers) generally rely on the expertise of external ISOs.

What qualifications should an external information security officer have?

In the absence of legally regulated training, they should initially have a professional qualification in the field of technology, IT or law, such as a BSc/MSc, state-recognised technician qualification or qualification in a recognised training occupation. Fully qualified lawyers or business lawyers with relevant practical experience often take on the role of an external ISO. In addition to specialist knowledge, an external ISO should have extensive practical experience. Excellent communication and analytical skills are also essential for the role.

Does the IPM perform any data protection tasks?

As a general rule, it is best to avoid a mixture of data protection tasks and DPO tasks. While the IPM supports the maintenance of an appropriate level of data protection as part of its activities, the DPO is generally responsible for this. Once a company is required to appoint a DPO under the GDPR/BDSG, it must ensure that the DPO carries out their duties independently. This also means that the DPO cannot decide on the processing of data themselves. However, as this does occur in the context of the DPO's activities, a conflict of interest would arise. The DPO's data protection tasks are therefore limited to cooperation and exchange, as well as providing the necessary assistance.

What is the role of the external IPM in a security incident?

It plays a central role as it is responsible for coordinating, monitoring and responding to the incident. This includes implementing a coordinated response mechanism as soon as an incident is detected, analysing it, communicating with all involved parties, and resolving it immediately. Finally, the incident's causes must be investigated and addressed.

Does the external ISO also carry out IT security audits?

Yes, conducting internal IT security audits is one of the fundamental duties of an ISO. Various focal points are conceivable. For example, an audit can be used to check the security measures that have been implemented and test the systems for vulnerabilities (penetration testing). Audits can also be carried out in preparation for a planned certification.