In the course of digitalization, there is an increase in the number of applicable legal and oversight requirements regarding information security. Hence it is necessary to establish systematic information security management that an information security officer takes responsibility for. That’s why a large development bank has decided to implement a risk-oriented information security management system in accordance with ISO 27001. Together with Q_PERIOR, a business impact analysis and a weak spot analysis have been carried out, and based on the results, an information security organization has been set up. This has taken a lot of strain off the IT department, as well as ensuring that the executive management is in compliance with all applicable regulations and will henceforth be rapidly involved in significant IT issues.