Risk Management
LEGAL BASIS
§30(2) No. 1 BSIG – Concepts relating to risk analysis and information system security
Information Security Policy
BAUER GROUP operates an Information Security Management System (ISMS) covering the protection goals of confidentiality, integrity, availability and authenticity. The information security policy is reviewed and approved annually by management.
Systematic Risk Analysis
| Step | Description | Interval |
|---|---|---|
| Asset identification | Recording of all critical systems, data and processes | Ongoing |
| Threat analysis | Identification of relevant threat scenarios | Annually |
| Vulnerability assessment | Technical and organizational vulnerabilities | Annually + event-driven |
| Risk assessment | Likelihood × impact | Annually |
| Risk treatment | Avoid, mitigate, transfer, accept | After assessment |
Risk Treatment Options
| Option | Description | Application |
|---|---|---|
| Avoid | Eliminate the risk source | When economically justifiable |
| Mitigate | Technical/organizational measures | Standard approach |
| Transfer | Insurance, outsourcing to qualified provider | For residual risks |
| Accept | Conscious acceptance with documentation | Only for low residual risk, management approval |
Asset Inventory
All IT systems, components and processes are recorded in a central inventory:
- Server systems – Physical and virtual servers with location, purpose and owner
- Network components – Firewalls, switches, routers with firmware versions
- Applications – Custom and third-party software with license and support status
- Data assets – Classification by protection need (normal, high, very high)
- Cloud services – External services with provider, location and contract status
Standards Orientation
- ISO/IEC 27001:2022 – Information security management systems
- BSI IT-Grundschutz – Methodological framework for risk analysis
- Implementing Regulation (EU) 2024/2690 – Detailed NIS2 technical requirements