There is a mandatory requirement for all operators of critical infrastructure (CRITIS operators) to set up an IT Security Management System (ISMS) in their company and to maintain it in compliance with the relevant standard. Relevant rules and regulations can be found in the IT Security Act 2.0. Even companies that are not CRITIS operators are required to provide documentation to their customers showing hard-and-fast evidence of the safeguarding of their telecommunications and IT resources through the relevant certifications in Quality Management (ISO 9001) and IT security (ISO 27001, Grundschutz of the German Federal Office for IT Security, VdS10000). Providers of IT services (e.g. computer centre operators, providers of cloud services, etc.) are increasingly being audited by their customers or being asked to produce up-to-date certifications from a reputable certification body for the IT resources of the IT service provider that are used by the customer.
IT Security Officer
The appointment of an IT Security Officer is an important prerequisite for setting up and maintaining an ISMS, as these tasks have to be performed by the IT Security Officer. The primary role of the IT Security Officer is to provide advice to the company management on carrying out their IT security tasks, to offer support with the introduction and implementation of new security processes, and to raise awareness of IT security among employees.
IT Security Management System (ISMS)
A software-based IT Security Management System (ISMS) needs to be set up. There are various software products on the market, which facilitate the setting up of an ISMS, e.g. verinice, fuentis, etc. The first step involves recording all the company’s assets in an inventory. A company’s assets may be very diverse, e.g. not just assets from the inventory but also other company assets, such as the company’s reputation, business processes, a particular customer relationship, a type of technology, expertise, the experience of the employees, the results of research, etc.
Once the critical and non-critical IT systems and IT resources have been recorded in a software-supported ISMS, the various individual measures required for the relevant standard need to be imported into the chosen ISMS software. The measures from the individual steps required for the standard, so-called CONTROLS, as well as the risks, are then linked up with the recorded IT systems and IT resources. In addition to this, the ISMS also allows a picture to be formed of the company’s risk management process.
Risk management is an overarching and important process in the ISMS. Risk management requires key risks to be systematically recorded, assessed, and then presented in a transparent manner. The goals of risk management are the early detection and elimination of information security risks, the creation of a standardised method of risk assessment for the identified risks, the clear assignment of responsibility with regard to dealing with risks, and the standardised and clear documentation of risks, including the assessment of risks and an effective approach to dealing with them. In order to implement efficient risk management, a company needs to assess the areas of risk that are of relevance to the company. This can be done by drawing up a process map, for example. The risks that have been identified also need to be subjected to a risk assessment process. ISO 27005 may provide help in this regard. As well as the main part of the document, the annexes also contain some good tips on implementation. The risk assessment process comprises the methods for the identification of risks, the criteria for the assessment of risks and risk acceptance criteria. Various tools and techniques can be used to identify risks, e.g. interviews, analyses of scenarios, brainstorming, business impact analyses, checklists, etc. When defining the criteria for the assessment of IT security risks, it should be ensured that these written criteria can be used for the largest possible variety of risk types/risk categories. The violation of goals aimed at protecting confidentiality, integrity and availability can also be included here.
Key Performance Indicators
Key performance indicators are used to continuously monitor the effectiveness and efficiency of the ISMS as well as the measures undertaken (controls). The specifications of the ISMS are used to compare the current and the target situation of the ISMS. The performance indicators to be defined are summarised in relation to the corporate goals, the statutory requirements and the requirements for protection. The aggregated performance indicators are known as key performance indicators (KPIs). The benefit of these KPIs is that they allow fundamental conclusions to be drawn about the protection system. For management, the KPIs provide a comprehensible basis that allows decisions to be made on the management and control of information security. KPIs can be used to reveal indications for new risks, changes within the risk landscape and non-conformities in relation to the implementation of security regulations and guidelines.
A central requirement for documentation within an ISMS is the workflow of documents. This means that the preparation, updating, approval and publication of documents must follow a defined procedure. All documents must have a unique identifier to facilitate the management of documents within a document workflow. The identification must include title, date, author, version, storage location, appropriate document suitability and fitness for purpose testing (Quality Assurance) and release. Furthermore, all documents required by the standard or their contents must be classified with regard to confidentiality. Additional documents with sufficient and relevant records of the operational activities must also be prepared. The documentation within the ISMS must be constantly updated and checked to ensure that it is up to date. The management of ISMS documents can be supported by a documentation guideline. The ISMS documents must also be reviewed and updated on a regular basis. The management of documents with regard to document owners, release of documents and their storage locations must be clearly defined and the guidelines for document management must be implemented and adhered to within the company.
The ISO 27001 standard requires the following documents to be prepared for the establishment of a reliable ISMS:
We can provide you with support by taking on the role of an External IT Security Officer/IT Security Consultant and by helping you to set up and maintain an IT Security Management System (ISMS). Mr Costard is a qualified lawyer and is a TÜV-certified IT Security Officer, IT Security Manager, IT Security Auditor and an expert in the Grundschutz of the German Federal Office for IT Security/ISO 27001.
Services Offered by the Firm
The services offered by the firm include in particular: