Information security management system
The security of the data entrusted by customers must be adequately ensured by every organization. This is ensured with organizational and technical measures.
The primary requirements of ISO 27001 include (excerpt):
Management of the assets of the organization
A company’s values (assets) must be adequately protected. This protection must be maintained with appropriate measures. The topics to consider here are inventory, classification and permissible use of data and systems. This includes how the company assesses the value of the information and which legal or regulatory requirements must be complied with.
Only values that are known (complete enumeration) can be protected.
The availability and integrity of data must be ensured with organizational and technical measures. Operating procedures and responsibilities are defined. Change management processes are introduced and documented. There is a business continuity management concept (BCM) for handling exceptions and outages.
Availability is one of the cornerstones of information security (confidentiality, integrity, availability).
A reliable management of access rights is another cornerstone of information security. Access to networks, applications and data must be defined and managed. Accounts with extended rights (administrators) must be monitored more closely.
Once a role and rights concept has been established and introduced, the first step has been taken.
With a correctly designed access control system the first step of the requirement confidentiality can be implemented.
Handling of information security incidents
IT security events must be recorded, evaluated and handled promptly. Depending on the event, further measures may be necessary, e.g. internal escalation, reporting to customers, partners or an authority.
Appropriate monitoring options and ongoing evaluations of log and error messages are the first step here.
Knowledge gained from incidents should be used to reduce the likelihood of occurrence or the effects of future incidents.
Organizations must ensure that their employees and contractors understand and fulfill their responsibilities in relation to information security. Employees must be made aware of the issue of information security through awareness training. In the event of repeated non-compliance with the requirements, it must be possible to threaten or take disciplinary measures.
Internal attacks are often the cause of data protection incidents.
Ensuring business operations (business continuity)
These measures ensure that information security is also ensured in the event of business continuity. Companies have to determine how to maintain their IT security management in emergencies, how to carry out security controls and how to regularly review and document them.
International ISMS standards
There are numerous industry-specific and generic standards and specifications. Some of the standards maintain an official certification program, but the majority does not.
- BSI basic protection (authority specification, Germany) [certification based on ISO 27001]
- GDPR (legal requirement, EU)
- HIPPA (industry standard, including data security for healthcare, US) [no official certification program]
- ISO 27001 (Information Security Management System, international) [certification]
- PCI-DSS (industry standard, data security for credit card data, international) [certification]
Some of our services
Together we will identify your requirements or the topics that are important for your customers. Accordingly, we guide you through a current situation and a gap analysis that shows where action is required. This usually includes technical and organizational measures or, for example, only the documentation of existing processes and procedures.
So that the information security management system fits your needs, it must be worked out, documented and implemented by you. Of course, we are available for coaching during this phase.
We carry out the internal audits required by the standard together with your specialists. In this way we ensure that all the documents required for the audit are complete and accessible. Here, the last open points are usually eliminated.
Questions or comments?
Tel +41 58 311 1024