Design & Implementation of ISMS
Synopsis
A 12-month project for an IT consulting and software development provider, which aimed at improving information security, addressed the challenges of applying ISO 27001 and TISAX standards to create an effective information security management system (ISMS). By adapting these standards to the company's specific needs and processes and using a certified tool for the rational development of guidelines, a robust ISMS could be set up as part of the project. This approach minimized implementation costs and overhead and made sophisticated information security practices accessible and manageable. The digital documentation and targeted online training provided company-wide understanding and commitment, which led to a sustainable, cost-effective ISMS that supports both organizational and technological IT security measures.
Key figures
Customer: Provider of IT consulting and software development
Project volume: 60,000 EUR, 12 months
Challenges
Information security is not just a question of secure devices or infrastructure. Most incidents are due to a lack of understanding or awareness of basic behaviors to protect information within an organization. Organizational measures and suitable processes are essential for successful management of information security.
Standards such as ISO 27001 or TISAX provide a framework for a structured and sustainable management system for information security (ISMS), but present small and medium-sized companies in particular with challenges that should not be underestimated. The comprehensive set of rules of an ISMS in accordance with ISO 27001 is not easy to understand and is even more difficult to implement in the organization.
The first important step is therefore to adapt the framework to your own requirements and needs without affecting the effectiveness of the ISMS or losing compliance with the ISO standard.
It is then necessary to design the guideline in such a way that it takes into account the special features of the organization and, above all, can be implemented efficiently.
Our solution
The comprehensive standard described in ISO 27001 is an excellent basis for establishing an effective ISMS. In discussions with management, we defined the exact scope of the planned ISMS. This resulted in the company's overall goals with regard to information security and management responsibilities.
In a second step, the business processes were analyzed on which the adjustment of the ISMS standard to the specific characteristics of the company is based. Reducing ISO 27001 guidelines to the company's specific requirements not only reduced the effort required to detail them, but also enabled the necessary resources to be used efficiently. As a result, significant costs for implementing the ISMS could be saved.
For the structured development of the contents of the ISMS guidelines, a certified tool was used which, in addition to task management, also provides an approval and review workflow. By using an extensive set of templates for different types of companies, the ISMS documentation was completed in a comparatively short time. The complete digital documentation of the ISMS was made available to all employees via the intranet and also served as an essential basis for the certification audit.
In order to convey the content of the ISMS to employees and create sustainable awareness of information security, target group-specific training was implemented in an online training tool.
Benefits
Our pragmatic and company-specific approach made it possible to implement an efficient ISMS in a relatively short time and at reasonable costs. In addition to technological measures for IT security, this also enabled an important organizational framework to be created.
The usual effort of implementing an ISMS in accordance with ISO 27001 was avoided and yet a sustainable and efficient management system for information security measures was introduced.
