Tag Archive for: ISMS

Infor­mation Security Management Systeme (ISMS) – myths, miscon­cep­tions and misconceptions

There are several myths, miscon­cep­tions and miscon­cep­tions surrounding Infor­mation Security Management Systems (ISMS) that can lead to incorrect assump­tions or inade­quate implementations.

In our latest blog article, we would like to briefly introduce some of them:


Myth #1: ISMS is only for large enterprises

It’s a common miscon­ception that an ISMS is only for large enter­prises. In fact, organi­za­tions of all sizes can benefit from an ISMS as it helps to become aware of threats, mitigate risks and meet compliance require­ments. Regardless of the size of the organi­zation, an effective ISMS helps address infor­mation security in all aspects of business opera­tions, which ultimately helps strengthen overall business success and promote trust.

Myth #2: ISMS is just a technical matter

There is often a miscon­ception that an ISMS is all about technical measures. However, the primary focus is on infor­mation and processes. Through these, both the technical and other organi­za­tional aspects, such as policies, proce­dures, training and awareness programs, then come into consid­er­ation. In other words, an effective ISMS requires a holistic approach that involves people, processes and technology to ensure and improve the security of infor­mation in the organization.

Myth #3: An ISMS is a one-time task

An ISMS is not merely a one-time task. While it is sometimes assumed that an ISMS can be imple­mented once and then operated on the side, it is actually a continuous process that requires constant monitoring, review and improvement to keep pace with changing threats and business needs. This process fosters an enduring culture of infor­mation security in the organi­zation that is focused on proactive risk mitigation and constant adaptation to new security challenges.

Myth #4: Confor­mance guarantees security

Confor­mance to standards such as ISO 27001 does not automat­i­cally mean that an organi­zation is fully protected. An ISMS should be viewed as a continuous improvement process that goes beyond mere compliance. It’s about creating awareness of infor­mation security throughout the organi­zation, improving the ability to respond to changing threats, and ultimately estab­lishing a sustainable security culture.

Myth #5: ISMS is for marketing purposes only

While sales and marketing depart­ments certainly won’t disagree, an effective ISMS primarily helps organi­za­tions mitigate risk, meet compliance require­ments, and build trust with customers and partners. Overall, such a system promotes a security-conscious culture and improves business practices.

Would you have known?

By clearing up these myths, miscon­cep­tions and miscon­cep­tions, organi­za­tions can gain a better under­standing of how to effec­tively implement and use an ISMS to protect their infor­mation and drive business success.

We at SRC Security Research & Consulting GmbH can actively support you in the process from consulting to certi­fi­cation, feel free to contact us.

Contact us:
Christoph Sesterhenn

The new ISO27001:2022 — what now?

The new version of ISO27001 was published in autumn 2022. According to the speci­fi­ca­tions of the Inter­na­tional Accred­i­tation Forum (IAF), initial and re-certi­fi­ca­tions may only be carried out in accor­dance with ISO27001:2022 from 30 April 2024.

Transition period and conversion to ISO27001:2022

The transition period for the conversion of already certified infor­mation security management systems (ISMS) to the new standard ends on 31 October 2025. It can be assumed that from summer 2023 onwards, accredited certi­fi­cation bodies will have expanded their programmes to such an extent that audits according to the new ISO27001:2022 will be possible from autumn 2023 at the latest.

Changes and adapta­tions to the ISMS and its documentation

However, as is not uncommon with new versions, the changes contained in this case are also associated with adjust­ments to the ISMS and its documen­tation. This applies in particular the completely revised and restruc­tured Annex A (resulting from the new ISO27002:2022). But there are also additions and adapta­tions in the chapters 4 to 10 to be considered.

Consul­tancy and support in adapting the ISMS

We are happy to advise you on the adaptation of your existing ISMS. In addition to identi­fying the tasks resulting from the changes, we will also actively help you with the imple­men­tation, if required, in order to achieve the mainte­nance of conformity with the standard.

ISO27001 certi­fi­cation: advice and support on the way to compliance with the standard

If you are thinking about ISO27001 certi­fi­cation, we would be happy to offer you our advice and, if required, our active support on the way to a standard-compliant ISMS. This can include, in particular, the transfer of knowledge in workshops, but also the imple­men­tation of an internal audit as well as support in the creation of documents and the intro­duction of processes.

Further infor­mation can be found here.

IT compliance through the intro­duction of an ISMS

Increasing compliance requirements

“The depen­dency of core and value-added processes on the IT infra­structure and the IT systems operated there is constantly increasing at credit insti­tu­tions. This means that the associated compliance require­ments are also increasing almost to the same extent”. In an article that has just been published on the specialist platform “Security Insider”, SRC expert Dagmar Schoppe explains the different regulatory and legal require­ments that determine the daily business of credit insti­tu­tions and how IT compliance is improved by the intro­duction of an ISMS.

Value creation processes are threatened

The protection of these value-added processes through compliance with regulatory and legal require­ments, e.g. from BAIT, MaRisk or the IT Security Act, is a very topical issue. After all, the danger of hacker attacks is a real and current threat. This is one of the reasons why IT security is one of the central audit focuses of the BaFin. The TIBER-EU programme, which is intended to strengthen the resilience of the financial world against cyber attacks, also aims in this direction.

Holistic infor­mation security management system creates security

For a holistic approach to the protection of corporate values, the various organ­i­sa­tional and technical aspects must be combined into a holistic concept. This leads to the intro­duction of an infor­mation security management system, e.g. on the basis of ISO 27001.

The experts of the SRC division Banking Compliance will gladly advise you on regulatory and legal require­ments and their imple­men­tation, e.g. by intro­ducing an infor­mation security management system (ISMS) or by carrying out TIBER tests. SRC is a member of the Cyber-Alliance.

Tag Archive for: ISMS