Customer: Provider of IT consulting and software development
Project volume: 60,000 EUR, 12 months
Information security is not just a question of secure devices or infrastructures. The majority of incidents occur due to a lack of understanding or awareness of basic information protection behaviours within an organisation. Organisational measures and suitable processes are essential for the successful management of information security.
Standards such as ISO 27001 or TISAX provide a framework for a structured and sustainable management system for information security (ISMS), but present small and medium-sized companies in particular with challenges that should not be underestimated. The extensive body of policies and recommendations of an ISMS in accordance with ISO 27001 is not easy to understand and even more difficult to implement in the organisation.
The first important step here is therefore to adapt the framework to your own requirements and needs without compromising the effectiveness of the ISMS or losing compliance with the ISO standard.
It is then necessary to design the guidelines in such a way that they take into account the specifics of the organisation and, above all, can be implemented efficiently.
The comprehensive standard described in the ISO 27001 norm is an excellent basis for establishing an effective ISMS. In discussions with top management, we defined the exact scope of the planned ISMS. This resulted in the company's overarching objectives with regard to information security as well as the responsibilities of management.
The second step involved analysing the business processes on which the adaptation of the ISMS standard to the specifics of the company is based. Reducing the ISO 27001 policies to the specific requirements of the company not only reduced the time and effort required to detailing them, but also allowed the necessary resources to be used efficiently. This could save considerable costs for the implementation of the ISMS.
A certified tool was used for the structured development of the content of the ISMS guidelines, which also provides an approval and review workflow in addition to task management. By utilising an extensive set of templates for different types of companies, the ISMS documentation was completed in a comparatively short time. The complete digital documentation of the ISMS was made available to the entire staff via the intranet and also served as an essential basis for the certification audit.
In order to communicate the content of the ISMS to staff and create a long-term awareness of information security, target group-specific training was implemented in an online training tool.
Our pragmatic and company-specific approach made it possible to implement an efficient ISMS in a relatively short time and at a reasonable cost. This made it possible to create an important organisational framework in addition to technological measures for IT security.
The usual overhead involved in implementing an ISMS in accordance with ISO 27001 were avoided and a sustainable and efficient management system for information security measures was nevertheless introduced.