Informationssicherheit in der Finanzwirtschaft: Cloud-Dienstleister mit ISO/IEC 27001-Zertifikat sind die sichere Wahl Teil 2

Information security in the financial industry: Cloud service providers with ISO/IEC 27001 certification are the safe choice Part 2

Selecting a cloud service provider: ISO 27001 certificate as a central criterion

Certification in accordance with the ISO/IEC 27001 standard forms a central criterion for the selection of a cloud service provider. Companies from the financial sector that transfer their data externally must trust their cloud provider and rely on the provider’s compliance with all technical, legal and contractual requirements. Certification by an external body proves that IT security and information security are practiced in a company and that this is verified by annual re-audits by external auditors.

An ISO/IEC 27001 certificate guarantees security, as it fulfills points such as well thought-out security concepts, consistent end-to-end encryption, and hosting of the data in Germany on secure and redundantly mirrored servers. Storage in Germany is particularly important in view of the DSGVO. Companies from the financial sector should therefore specify in the SLAs that the data will not leave Germany or the EU and will be moved to another region with less stringent data protection requirements. In this way, they also meet the stricter requirements of BaFin.

ISO/IEC 27001 as a basis

ISO/IEC 27001 describes the processes and measures that companies can use to achieve greater information security. It formulates principles for the implementation, operation, monitoring and improvement of an information security management system (ISMS). An ISMS creates the framework for greater information security with documented guidelines, processes and measures Information security comprises three essential protection goals.

  • Availability: All of the company’s assets are available within an agreed time frame.
  • Confidentiality: Protection of information from unauthorized access.
  • Integrity: Protection of information from unauthorized modification (including creation and deletion). Detection of modifications.

An ISMS provides guidelines, regulates responsibilities (distribution of duties and tasks) and the handling of risks. In the normative Annex A, ISO/IEC 27001 describes control objectives and concrete controls with which companies can improve information security. There are a total of 114 measures in 14 areas such as cryptography, incident management, personnel security (including security awareness training) and access control (e.g. restricting access rights). The standard also requires that companies continuously improve the quality of the ISMS and verify it through regular internal and external audits. The latter form the basis for certification of the ISMS.

ISMS increases information security

In principle, an ISMS makes sense for every company that processes sensitive data worthy of protection, the loss of which would result in high damage – regardless of legal requirements and customer requirements. This is because operators of critical infrastructures (CRITIS), for example in energy supply or telecommunications, are required by the IT Security Act to establish an ISMS. Another important driver is the requirements of companies that link the awarding of contracts to ISO 27001 certification.

The goal of the ISMS is to bring all processes to as uniform a level as possible and to anchor a security culture in the company. The higher the maturity level of IT and information security, the lower the risk of being successfully attacked.

An ISMS basically delivers great added value by optimizing security-related processes. It reduces risks and provides the framework for higher information security with guidelines, processes and measures. Here are the key benefits of an ISMS at a glance:

  • Fulfillment of obligations to provide proof of information security to customers
  • Safeguarding business relationships through audited security
  • Minimizing the risk of economic damage
  • More protection against cyber attacks
  • Structured IT processes within the company
  • Information security as a strategic goal of the company
  • Clear responsibility for information security through the appointment of an information security officer
  • Business continuity management secures a company’s time-critical business processes in order to minimize the consequences of damage in the event of an emergency by means of defined emergency plans and their measures

Selecting a cloud service provider: ISO 27001 certificate as a central criterion

Certification in accordance with the ISO/IEC 27001 standard therefore forms a key criterion for selecting a cloud service provider. Companies in the financial sector that transfer their data to external sources must trust their cloud provider and rely on the provider’s compliance with all technical, legal and contractual requirements. Certification by an external body proves that IT security and information security are practiced in a company and that this is verified by annual re-audits by external auditors.

An ISO/IEC 27001 certificate is a guarantee of security, as it means that points such as well thought-out security concepts, consistent end-to-end encryption and the hosting of data in Germany on secure and redundantly mirrored servers have been fulfilled. Storage in Germany is particularly important in view of the DSGVO. Companies in the financial sector should therefore specify in the SLAs that the data will not leave Germany or the EU and will be moved to another region with less stringent data protection requirements. In this way, they also meet the stricter requirements of BaFin.

Click here for the first part of the blog article series.

If you have any questions about information security or data protection, please feel free to contact your team at aigner business solutions GmbH. Simply use our contact form. You can also reach us by phone at our headquarters in Hutthurm on +49 (0) 8505 91927 – 0 or at our branch office in Munich on +49 (0) 89 413 2943 – 0.

This post is also available in: German