Information and IT security are, just like the information technologies, subject to constant change. Starting with the threats, risks and security obectives of a company through to the details of individual security measures, continous analysis and optimization is required. Based on the complex requirements and interdependencies in information and IT security, sustainability cannot be achieved through urgent individual actions. Only the establishment of fundamental management processes will enable you to control the multitude of required management processes in a strategic and viable way. In addition, legislative authorities increasingly demand proof of respective control methods being applied in a company. There are numerous international standards for the implementation, such as ISO/IEC 27001 for information security management or ISO/IEC 27005 for IT risk management. Based on these theoretical frameworks the biggest challenge, however, lies in the practical implementation of the guidelines outlined in these frameworks.