Industry 4.0, the so-called fourth industrial revolution, stands for intelligent networking of development, production, logistics and customers. It represents a multitude of information and data that are often of existential value to organizations. Protecting their availability, integrity and confidentiality is a central task. Information security encompasses all measures that help to become aware of existing risks, identify them, and take appropriate and suitable measures to protect them.
Due to insufficient security in information processing, the German economy alone suffers damage amounting to billions of euros every year. The reasons for this are complex and range from external disturbances, technical errors, industrial espionage to misuse of information by former employees. But only those who recognize the challenges can also initiate appropriate measures. A well-structured information security management system in accordance with the internationally recognized ISO 27001 standard is an optimal basis for the effective implementation of a holistic security strategy. What exactly does this mean and what needs to be considered? Get answers to important questions about ISO 27001 right here.
CONTENT
- What is information security?
- What are the protection goals of information security?
- What is an information security management system?
- For which organizations is ISO 27001 useful?
- What are the benefits of an information security management system?
- What is the role of people?
- ISO 27001 - Questions about the introduction
- Why ISO 27001 certification?
- DQS - What we can do for you
What is information security?
The answer to this question is quite simple in terms of the international family of standards for information security ISO 2700x:
"Information is data that is of value to the organization."
ISO/IEC 27000:2020-06: Information technology - Security techniques - Information security management systems - Overview and vocabulary
You see, information is an asset that should not fall into the hands of unauthorized persons, and that requires appropriate protection.
Information security is therefore everything that has to do with protecting your company's information assets. The decisive factor here is to be aware of the risks that exist in the context of the company,or to uncover them and to counter them with appropriate measures based on needs.
"Information security is not IT security"
IT security refers only to the security of technology deployed and not to the corporate assets to be protected. Organizational concerns, for example access authorizations, responsibilities or approval procedures, as well as psychological aspects, also play an essential role in information security. However, secure IT also protects the information in the company.
What are the protection goals of information security?
According to the international standard ISO/IEC 27001, the protection goals for information security comprise three main aspects:
- Confidentiality - protection of confidential information from unauthorized access, whether for reasons of data protection laws or on the basis of trade secrets covered by e.g. a Trade Secrets Act. It is the level of confidentiality that is relevant here.
- Integrity - minimizing any risks, ensuring completeness and reliability of all data and information.
- Availability - ensuring access and usability for authorized access to information, buildings and systems. This is essential for maintaining processes.
Certified information security according to ISO 27001
Protect your information with a management system that meets international standards ✓ DQS offers over 35 years of experience in certification ✓
Key questions about information security
- What are my company's values?
- Which company values need to be protected?
- What attacks are the company assets exposed to?
- Who has an interest in protecting this information?
- What are appropriate measures?
What is an information security management system?
An information security management system (ISMS) according to ISO/IEC 27001 defines guidelines, rules and methods to ensure the security of information worth protecting in an organization. It provides a model for introducing, implementing, monitoring and improving the level of protection - in accordance with the systematic procedure of the PDCA cycle (Plan-Do-Check-Act) familiar from ISO 9001.
The aim is to identify and analyze potential risks and make them controllable through appropriate measures.
Why is information security management important?
Successful organizations use the structure and transparency of modern management systems to detect threats and target the deployment of contemporary security systems. At the heart of an information security management system is the security of your own information assets, such as intellectual property, financial and personnel data, as well as information entrusted to you by customers or third parties.
"Information security always means protecting significant information or data of value."
The risks to which the data worth protecting is exposed are many. They can arise from material, human and technical security threats. But only a holistic, preventive management system approach of an ISMS can address the entire spectrum of threats and ensure a company's business continuity.
For which organizations is ISO 27001 useful?
The answer to that question is very simple: for all. ISO 27001 can basically be applied in all organizations, regardless of their type, size and industry. And: all organizations benefit from the advantages of a structured management system. The implementation of an ISMS is influenced by the following factors:
- The requirements and business objectives
- The security needs
- The business processes applied
- The size and structure of the organization
What are the benefits of an information security management system?
An important question. ISO 27001 formulates the requirements for the systematic design and implementation of a process-oriented management system for information security. Decisive advantages can be achieved through this holistic approach:
- The security of sensitive information becomes an integral part of the company's processes
- Preventive safeguarding of the protection goals confidentiality, availability and integrity of information
- Maintaining business continuity through continuous improvement of the security level
- Sensitization of employees and significantly increased security awareness at all levels of the company
- Establishing an effective risk management process
- Building trust with interested parties (e.g. tenders) through demonstrably secure handling of sensitive information
- Adherence to relevant compliance requirements, more security of action and legal certainty
How can potential risks be managed?
Security risks can arise from material, human and technical threats. To achieve a traceable and appropriate level of security in the organization, a defined risk management process or method for risk assessment, risk treatment and risk monitoring is required. ISO/IEC 27005 provides good guidance on information security risk management.
What role do people play?
People are also a risk factor, because the handling of sensitive information affects all employees and partners of a company without exception. They pose an increased security risk, whether through ignorance or human error. But only very few organizations regulate who may gain access to which information, and how it is to be handled.
"The new source of power is no longer money in the hands of the few, but information in the hands of the many." John Naisbitt, *1929, American. Futurologist
Binding regulations and a pronounced awareness of all information security concerns are therefore a basic prerequisite. The adaptation of corporate policy or the development of a suitable information security policy is considered essential here. The necessary sensitization of employees at all (management) levels is a matter for the boss and can take place, for example, through training courses, workshops or personal discussions.
ISO 27001 - Implementation questions
The question as to whether a company must already have introduced a management system, for example in accordance with ISO 9001, can clearly be answered with "no". ISO 27001 is a generic standard and - like all management system standards - stands on its own. This means that an organization can set up and implement an information security management system at any time and independently of any existing structures.
Nevertheless, companies that have a quality management system in accordance with ISO 9001 have already created a good basis for the step-by-step introduction of comprehensive information security.
In its structure and approach, ISO 27001 is based on the mandatory basic structure for all process-oriented management system standards, the High Level Structure. Consequently, this offers you the possibility of easily integrating an information security management system into an already existing management system. Likewise, a joint certification according to ISO 27001 with ISO 20000-1 (IT Service Management) or ISO 22301 (Business Continuity Management) by DQS is possible.
Which documents can support the introduction?
The preferred basis for introducing a holistic management system for information security is the international ISO/IEC 2700x family of standards. It is intended to support organizations of all types and sizes in implementing and operating an ISMS. The degree of implementation within the organization can be checked by means of an internal audit.
Helpful components of the standard series are
- ISO/IEC 27000:2018: Information technology - Security techniques - Information security management systems - Overview and vocabulary
- ISO/IEC 27001:2013: Information technology - Security techniques - Information security management systems - Requirements
- ISO/IEC 27002:2013: Information technology - Security techniques - Code of Practice for information security controls
- ISO/IEC 27003:2017: Information technology - Security techniques - Information security management systems - Guidance
- ISO/IEC 27004-2016: Information technology - Security techniques - Information security management - Monitoring, measurement, analysis and evaluation
- ISO/IEC 27005:2018: Information technology - Security techniques - Information security risk management
All regulations are available from the ISO website.
ISO 27001 - Questions about the IT security officer?
Does ISO 27001 require an IT security officer? The answer is "yes".
One task within the information security management system is the appointment of an IT security officer by top management. The IT security officer is the contact person for all IT security issues. He or she should be integrated into all ISMS processes and closely interlinked with the IT managers - for example, when selecting new IT components and IT applications.
Why ISO 27001 certification?
Certification based on an accredited procedure is proof that a management system and measures have been implemented to systematically protect information assets. With the certificate you show "in black on white" that you have successfully established this system and are committed to its continuous improvement.
The DQS certificate, which is valued worldwide, is the visible expression of a neutral assessment and strengthens confidence in your company. This is a market advantage and provides a good prerequisite in tenders and security-critical customer business, such as financial service providers.
ISO 27001 - Questions about the certification process
All management systems that are assessed on the basis of international rules (ISO 17021) by an accredited certification body such as DQS are subject to the same certification process.
The initial certification consists of the system analysis (stage 1 audit) and the system audit (stage 2 audit), during which the auditors verify on site that the overall system is functioning properly and that all requirements have been implemented. The certificate is then valid for 3 years.
In order to be able to guarantee the validity during the entire period, the management system must be verified annually. In the first and second year after the certificate is issued, DQS auditors therefore conduct shortened ISMS audits (surveillance audits), in which they consider, for example, the effectiveness of key system components or of corrective and preventive measures. Recertification then takes place after three years.
Companies that already have an existing management system should combine their audit programs and seek joint certification of their integrated management system (IMS).
Is matrix certification possible?
Matrix certification is possible for companies with multiple sites. In principle, the same requirements apply to ISO 27001 as to other ISO standards such as ISO 9001 or ISO 14001. DQS can ensure the integration of ISO 27001 into existing matrix procedures, i.e. joint external auditing with the other standards.
What are the advantages of ISO 27001 over TISAX?
TISAX® (Trusted Information Security Assessment Exchange) was developed as an industry standard specifically for the automotive industry and tailored to the industry-specific needs. The basis for a TISAX® assessment is the VDA Information Security Assessment (VDA ISA) test catalog, which is based, among other things, on the requirements of ISO 27001 or ISO 27002 and extends these to include topics such as prototype protection or data protection.
You can find more valuable knowledge on our TISAX® product page.
The aim ofTISAX® is to ensure comprehensive (information) security for all stages in the supply chain. In addition, registration in a database simplifies the mutual recognition procedure. However, TISAX® is only recognized in the automotive industry. Customers from other industries may only recognize ISO 27001 as proof of an ISMS.
DQS - What we can do for you
DQS is your specialist for audits and certifications - for management systems and processes. With more than 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner, providing answers to all ISO 27001 questions.
We audit according to around 200 recognized standards and regulations as well as company and association-specific standards. We were the first German certification body to receive accreditation for BS 7799-2, the predecessor of ISO/IEC 27001, in December 2000. This expertise is still an expression of our worldwide success story.
We are happy to answer your questions
How much work do you have to do to get your ISMS certified according to ISO 27001? Get information free of charge and without obligation.
We look forward to talking to you.