Information security management ACCORDING TO ISO/IEC 27001

Owing to profound risk minimization strategies as well as legal requirements it is essential for companies to establish an IT security management. Looking at standard theory concepts this, however, raises the question what a continuous, real-world solution may look like. Based on solid, long-term practical experience SCHUTZWERK can support you in realizing an information security management system adjusted to your specific requirements.

The maintenance of an adequate level of security is a constant struggle in complex IT environments. Technical vulnerabilities in systems or applications should, however, only be considered as symptoms - the main source is poor information security management.

Sustainable information security management requires a fundamental process which is referred to as Information Security Management System in the ISO norm IEC 27001. The Bundesamt für Sicherheit in der Informationstechnik (BSI - German Federal Office for Information Security) also references this norm in its "IT-Grundschutz" (IT Baseline Protection) Standards. The extensive requirements of the above-mentioned standards can be condensed into five basic phases which form the basis of information security management (see process graphic).


    IT-Security Management in Practice

  • 1

    Security Organization

    Phase 1 - Security Organization

    • Formulation of an IT security concept to describe the importance of IT and IT security in the company
    • Binding definition of responsibilities within the IT security management process
  • 2

    Structural Analysis

    Phase 2 - Structural Analysis

    • Central documentation of all IT systems, - applications and processed data categories
  • 3

    Determining Requirements

    Phase 3 - Determining Security Requirements

    • Determining security requirements for IT Systems, applications and data protection, on the basis of the security requirements of corresponding business processes = targeted condition (confidentiality, integrity, availability)
  • 4

    Target/ Actual Comparison

    Phase 4 - Target/ Actual Comparison

    • Examination of the acquired level of security by including all technical, organizational and human aspects = current condition / comparison of targeted and current condition and derivation of necessary measures
  • 5

    Implementing Measures

    Phase 5 - Implementing Measures

    • Detailed planning (roadmap) and implementation of the measures defined in Phase 4
Based on a structured and proven procedure model, SCHUTZWERK can support you in establishing all required components, processes and documentation of an information security management system. Depending on your objectives, the possibilities range from a solely solution-oriented approach to the preparation of the ISO certification The tasks described above can be implemented as part of a coaching session or in a joint effort.