Information. Security. Management.
Information increasingly determines our everyday life. They are increasingly valuable, especially for the business operations of an organisation. The term “information” covers an almost unlimited field. Whether it’s asset control information, contract data, personal information, payment data or even cryptocurrencies, all of these are subject to a growing number of threats and thus also to an increasing need for protection. This need for protection extends not only to the information but also to its transmitting, storing or processing components.
This threat situation gives rise to an increased need and desire to ensure the security of information. Due to the scope of the assets to be protected and the associated components, the use of a management system is advisable for controlling and monitoring information security.
Such a management system for compliance and assurance of information security should help to find solutions to the most important core issues.
Which data is subject to which protection requirements? Is the Data Protection Regulation to be complied with for personal information? Is it a matter of confidentiality, as for example with contractual or patient data? Does integrity also have to be ensured under certain circumstances, as is the case with contract or payment transaction data? And what about the desired or guaranteed availability? Do other security requirements such as non-repudiation or even authenticity have to be taken into account?
Where can this information be found everywhere? Which system components or even people are involved? Who is responsible for the information and its protection? Are increasing or new threats identified and adequately addressed by adapting protective measures?
In addition, the growing number of external requirements for organisations increasingly include proof of an appropriate information security management system (ISMS).
One possibility for this is offered by the ISO/IEC 27000 series of standards – essentially the process-oriented ISO/IEC 27001 standard, which defines the requirements for an ISMS and is supplemented in particular by:
The ISMS according to ISO/IEC 27001 focuses on the information assets to be protected and on identifying the associated security requirements and risks. As a basis for the protection of values and the fulfilment of safety requirements, a set of rules consisting of policies, processes and procedures must be established. However, the measures defined in this way can only have their (protective) effect if their application is also controlled and enforced. An important component for the implementation and control of the management processes is the allocation of responsibilities, e.g. the allocation of the management team. by defining roles and assigning them to people. The process is rounded off by the definition and implementation of appropriate measures to achieve the goals set.
In order to force an improvement of the ISMS, it is subject to a continuous review and adjustment process according to the standard, which is often presented with the so-called Plan-Do-Check-Act methodology.
