Information security management ACCORDING TO ISO/IEC 27001
Owing to profound risk minimization strategies as well as legal requirements it is essential for companies to establish an IT security management. Looking at standard theory concepts this, however, raises the question what a continuous, real-world solution may look like. Based on solid, long-term practical experience SCHUTZWERK can support you in realizing an information security management system adjusted to your specific requirements.
The maintenance of an adequate level of security is a constant struggle in complex IT environments. Technical vulnerabilities in systems or applications should, however, only be considered as symptoms - the main source is poor information security management.
Sustainable information security management requires a fundamental process which is referred to as Information Security Management System in the ISO norm IEC 27001. The Bundesamt für Sicherheit in der Informationstechnik (BSI - German Federal Office for Information Security) also references this norm in its "IT-Grundschutz" (IT Baseline Protection) Standards. The extensive requirements of the above-mentioned standards can be condensed into five basic phases which form the basis of information security management (see process graphic).
IT-Security Management in Practice
Phase 1 - Security Organization
- Formulation of an IT security concept to describe the importance of IT and IT security in the company
- Binding definition of responsibilities within the IT security management process
Phase 2 - Structural Analysis
- Central documentation of all IT systems, - applications and processed data categories
Phase 3 - Determining Security Requirements
- Determining security requirements for IT Systems, applications and data protection, on the basis of the security requirements of corresponding business processes = targeted condition (confidentiality, integrity, availability)
Target/ Actual Comparison
Phase 4 - Target/ Actual Comparison
- Examination of the acquired level of security by including all technical, organizational and human aspects = current condition / comparison of targeted and current condition and derivation of necessary measures
Phase 5 - Implementing Measures
- Detailed planning (roadmap) and implementation of the measures defined in Phase 4