Information increasingly determine our everyday life. They represent an increasing value, especially for the business operations of an organisation. The term “information” covers an almost unlimited area. Whether it is information for managing assets, contract data, personal information, payment transaction data or even crypto currencies, all are exposed to a growing number of threats and are therefore also subject to an increasing need for protection. This need for protection extends not only to the information but also to the components that transmit, store or process it.
This threat situation gives rise to an increased need and desire to ensure the security of information. Due to the scope of the values to be protected and the associated components, the use of a management system is advisable for controlling and monitoring information security.
Such an information security compliance and assurance management system should help to find solutions to the most important core issues.
Which data is subject to which protection requirements? Is the data protection regulation to be adhered to for personal information? Is it a matter of confidentiality, for example with contract or patient data? Does integrity also have to be ensured under certain circumstances, as is the case with contractual or payment transaction data? And what about the desired or guaranteed availability? Do other security requirements such as non-repudiation or authenticity have to be taken into account?
Where can this information be found at all? Which system components or people are involved? Who is responsible for the information and its protection? Are increasing or new threats identified and adequately countered by adapting security measures?
In addition, the increasing number of external requirements for organisations increasingly includes proof of an appropriate information security management system (ISMS).
One way of doing this is the ISO/IEC 27000 series of standards — essentially the process-oriented ISO/IEC 27001 standard, which defines the requirements for an ISMS and is supplemented in particular by: