More and more companies are striving to improve information security in their own company. To meet this challenge, organizations rely on the establishment of an information security management system, or ISMS for short. In order for such a project to be implemented successfully, various aspects must be taken into account before the introduction, which the responsible persons must be made aware of. Find out more about the importance of an ISMS for your company in this blog article and our YouTube video.
ISMS is not a software product
An information security management system includes the word “system”, but it should not be equated with an information system such as software or a tool. Of course, there are helpful tools to support you in setting up an ISMS. Among other things, tools for the software-supported implementation of risk management processes or the administration of internal company security guidelines. Nevertheless, an ISMS includes many other factors that you have to consider when introducing it in your own company.
The difference between information and IT security
The two terms information and IT security are often combined in practice. Strictly speaking, however, one has to look at these two subject areas in a differentiated manner. IT security comprises activities that are primarily and operationally implemented by the IT department. Implementation of encryption procedures, implementation of technical measures to protect against malware or the implementation of penetration tests to uncover weak points in your own IT infrastructure are all mentioned here. These are exemplary activities to raise IT security in your company to an appropriate level and are also part of the development of an ISMS.
Information security, on the other hand, not only affects the IT department, but must initially be implemented by company management and all other company areas. Only if the management is behind this project can an ISMS be successfully implemented with the necessary time, financial and, above all, human resources. In companies, IT systems not only require special protection against attacks, but also all other information assets in the company. Paper-based documents, processes or regular employee training are just sample activities that need to be implemented.
Different approaches to building an ISMS
Which work packages and steps are necessary in detail in order to build up a complete ISMS results from the various standards and orientation aids that already exist. The implementation of technical, organizational and personal security measures is always required regardless of the ISMS approach chosen. However, there are differences in implementation in the four known standards.
The best-known standard, in which the requirements for an ISMS are defined, is probably the international standard ISO 27001. Due to its generic approach, this is suitable for every corporate sector and pursues the goal of international recognition of information security in your company.
In its German standard 200-1, the Federal Office for Information Security also describes measures that are necessary to implement an ISMS. However, this standard does not mainly follow the generic management-oriented approach, but rather provides more detailed procedures for minimizing IT risks. In certain areas it also makes sense to use both sources, i.e. ISO and BSI, in parallel if you want to set up an ISMS.
ISIS12, on the other hand, is the approach for an ISMS which, due to its concrete 12-step plan, is particularly suitable for small and medium-sized companies and municipalities and provides clear instructions for implementation.
TISAX® is also a model for the introduction of an ISMS. This is aimed in particular at suppliers from the Association of the Automotive Industry. In contrast to the other standards, greater attention is paid to the protection of prototype vehicles or parts. You can find out more about TISAX® in our videos and blog articles.
In summary, it can be said that the structure of an ISMS is a complex topic. The best approach to setting up an ISMS depends not least on the desired level of security and the company’s risk appetite and must therefore be determined individually for each company.
We are happy to support and advise you personally in the selection and implementation. Our certified IT specialists are happy to be there for you. Simply fill out our contact form or write an email to firstname.lastname@example.org. We can also be reached by phone at 08505 – 91927-0.
TISAX is a registered trademark of the ENX Association.
Unser Team – Ihr Vorteil | Hier stellen wir uns vor.
Unser Team besteht aus erfahrenen Juristen, Webspezialisten, IT-Experten, zertifizierten Datenschutz- und Informationssicherheitsbeauftragten. Mit unserer Erfahrung, Expertise und erprobten Verfahren, helfen wir Unternehmen, praxisnahe Lösungen im Bereich Datenschutz und IT-Sicherheit zu finden. So helfen wir beispielsweise bei der Umsetzung der DSGVO oder der Einführung von Informationssicherheitsmanagementsystemen (ISMS).
This post is also available in: German