An ISMS (Information Security Management System) is a systematic approach to protecting sensitive company information. Information assets in companies and organizations are protected in an appropriate and structured manner based on a risk assessment.
The implemented ISMS summarises the knowledge of an organisation to secure information assets with the protection goals of confidentiality, availability and integrity against compromise and thus avert consequences such as economic damage or loss of reputation.
Getting started with the information security management system
GAP analysis as an introduction
A GAP analysis is the first step towards the maturity level of your information security management system. The GAP analysis helps to identify gaps between the existing security measures and the requirements of recognised standards, such as ISO 27001.
Protect, optimise, certify
ISMS certification
The certification of an ISMS is mandatory for operators of critical infrastructures (KRITIS) and strengthens an organisation's resilience to business interruptions.
A well-maintained ISMS, which is audited annually, is the stable basis for optimising information security and IT security in a structured manner and integrating changing requirements.
Companies and organisations can have this structured approach to handling information assets certified by an external body.
Suitable standards are ISO/IEC 27001, BSI IT-Grundschutz and VdS 10000.
External information security officer
Minimise risks with an external information security officer
Good external consultants have the ability to distinguish between the essential and the less important. With this characteristic, they can moderate and organise the entire process (establishment and operation of an ISMS) in a targeted manner.
What are information values?
Companies and organisations have (assets) values that can be in tangible and intangible form. These information assets can be, for example, patents, the company building, hardware and software, employee master data or access data to accounts.
An ISMS contains rules for identifying risks to information assets within a scope and protecting them appropriately against threats such as cyber attacks, theft, natural hazards or sabotage.
Information assets differ in terms of their importance for the company to carry out its business activities. If the loss of an information asset represents a high risk for the company, the need for protection of this information asset is categorised as "high" in terms of availability (primary asset). A company's patents are an example of another primary asset that requires special protection in terms of confidentiality.
In the rules of an ISMS, protection requirements can be inherited if there are dependencies between information assets.
What is information security?
The term information security contains various technical and non-technical measures that companies and organisations use to protect their information assets.
Information security measures serve to achieve the three protection goals of confidentiality, integrity and availability of information. Examples of information security measures are precautions to prevent unauthorised persons from entering the company building or to make the company network accessible only to authorised persons.
What are the protection goals of information security?
Confidentiality means that only authorised persons may view, process and manage data (information).
Integrity means that data (information) remains correct and may not be changed without being recognised.
Availability means that data (information) is accessible to authorised persons and must not be lost.
Do I need an external consultant to implement an ISMS?
In principle, the standards presented offer the possibility of implementing an ISMS on your own - possibly with the support of specialised literature. An external consultant is certainly a good choice if companies and organisations are aiming for certification.
Good external consultants have the ability to distinguish the essential from the less important. With this characteristic, they can moderate and organise the entire process (establishment and operation of an ISMS) in a target-oriented manner.
