Modern administrative action is no longer conceivable without electronic communication and IT. The complexity of IT, the increasing degree of networking and the dependence of the administration on IT-supported procedures has led to the fact that security of IT and associated processes must be given high priority and a corresponding cybersecurity strategy must be substantiated. Existing approaches either fall short or cannot be applied to the context of local government without adaptation. This article aims at contrasting the published state-of-the-art in information security management and the state-of-practice in governmental organizations. Empirical basis for our work are (1) audit reports of certification audits in the municipal sector, (2) expert interviews on the status quo of information security in German local government and (3) a review of scientific literature. Results of the paper include current challenges in increasing the resilience of the municipal administration and open issues for future research.