You should take initial steps long before technical security checks such as vulnerability scans or penetration tests of IT systems are carried out. These serve to obtain a holistic picture of the current security of your IT systems, but also of the critical business processes. Orientation aids for relevant test criteria are provided by the hazard catalog of the Federal Office for Information Security. Please note, however, that a comprehensive view of the entire company and its areas is required when taking stock. Organizational aspects play just as important a role in information security as checking technical systems.
In-depth IT expertise is a prerequisite for taking stock of current information and IT security. IT administrators have this expertise, but inventories and GAP analyzes should ideally be carried out by neutral parties. This increases the chance of identifying organizational weaknesses that your own employees may not recognize. The company is viewed from the outside. A criminal attacker would also take this point of view.
If deficits were found in an initial GAP analysis, these must be assessed. How critical are individual weak points for your company? Discuss these and other questions about the assessment with your information security officer, who must have sufficient technical and organizational knowledge of IT and information security.
Even if an ISB is not yet legally required for every company, it is advisable to assign this position explicitly. In-house employees from the IT department or even the IT manager generally do not have the time resources, and this dual role often leads to conflicts of interest.
After evaluating the deficits and assessing their risks, the necessary measures must be derived. These measures range from employee training to technical security reviews such as penetration tests for critical IT systems.
Only after taking all the necessary measures to improve your information and IT security is it about implementation and, above all, about regular reviews and improvements. IT security must not be viewed as a project, but rather as a process that can be continuously improved. Plan – Do – Check – Act are the essential process steps that must be observed urgently.
A continuous process that can always be improved and also measured can only arise if you implement the topic of information and IT security continuously and with the necessary time and technical resources.
If this task is taken seriously, a certifiable information security management system is created in the end. This not only provides companies with ongoing protection of technical systems, but also structured processes and the fulfillment of relevant compliance requirements.
If you need support with GAP analyzes, setting up an ISMS, or support from an external ISB, please contact us.
Unser Team – Ihr Vorteil | Hier stellen wir uns vor.
Unser Team besteht aus erfahrenen Juristen, Webspezialisten, IT-Experten, zertifizierten Datenschutz- und Informationssicherheitsbeauftragten. Mit unserer Erfahrung, Expertise und erprobten Verfahren, helfen wir Unternehmen, praxisnahe Lösungen im Bereich Datenschutz und Informationssicherheit zu finden. So helfen wir beispielsweise bei der Umsetzung der DSGVO oder der Einführung von Informationssicherheitsmanagementsystemen (ISMS).