In recent years a series of laws, regulations and standards have been introduced in Europe and North America, which directly or indirectly make new demands on companies’ IT security and IT risk management. Whereas in the past IT managers and security personnel largely autonomously determined a company’s IT security policy, IT administrators are now faced with the necessity of analyzing the relevant industry-specific regulations and implementing these in a range of concrete measures.