ISMS (Information Security Management System) – set up and implementation in a company

ISMS – currently on the agenda of many companies
What exactly is an ISMS (Information Security Management System) and why is it so essential to set it up and introduce it in a company?
An ISMS is a company procedure for the protection of information (especially personal data). This procedure contains the necessary guidelines and establishes the processes required for this purpose, which regulate information security in the company and enable ongoing control and improvement. Risks are thus detected and controlled by means of appropriate technical and organizational measures.
Information security: the “big picture” ?
 How is information security to be classified in the overall context of data protection, data security and IT security? Roughly, data protection protects the privacy of individuals, whereas data security is concerned with the protection of data, without having to have a personal reference. Finally, information security encompasses the security of digital and analog information with and without personal reference and is thus actually the most comprehensive term in this context. This is because IT security can also be considered part of information security, as it deals specifically with the security of electronically stored information and systems.

Art. 32 GDPR 
Art. 32 GDPR defines that a level of protection appropriate to the risk must be ensured for personal data. This concerns, among other things, the type, scope and purpose of the processing of data in the company, the state of the art, costs and probabilities of occurrence as well as risks for the data subjects.
Organizational and technical measures are required that not only define the confidentiality and security of the data, but also regularly test, evaluate and adjust it if necessary. Art. 32 GDPR therefore requires the establishment of a system for the security of information and data or the introduction of an Information Security Management System (ISMS).
Responsible for information security in the company?
The development and implementation of the Information Security Management System is the responsibility of top management. There lies the strategic responsibility for risk decisions and the security that ensures the continuity of the company. To delegate the topic, an information security manager (Chief Information Security Officer (CISO) or Chief Information Security Manager (CISM)) is often appointed, who assumes the tasks of setting up, implementing, controlling and monitoring the management system. An Information Security Officer (ISO) supervises – mostly in larger companies – the operational implementation and supports the CISO/CISM in concept development, employee training, etc.
Both positions should not be confused with the IT security officer, who is usually responsible for the special field of digital processing of digital information.
Steps to an ISMS
Setting up and implementing an ISMS is exciting and challenges companies, management and employees. The motivation is multifaceted and ranges from internal reasons to customer requirements and legal regulations to regulatory requirements. Information security managers and officers are the responsible parties and, in the case of certification, also the contact persons for the auditors. Because it is a living, ever-evolving system, it requires the ongoing involvement of resources at all levels of the organization. Initial costs are incurred during the set-up and first implementation, but also ongoing costs of operating the system.
If there is already a quality management system according to ISO 9001, costs can be minimized and resources shared.
At ePrivacy, we already support a large number of companies in setting up their individual ISMS. Feel free to contact us if you have any questions on the topic contact.
Possibilities of a certification
Once the ISMS has been set up and established, it can be subjected to certification in accordance with the ISO 27001 standard. This proves that procedures and rules have been established (guidelines, processes, etc.) that permanently define, control, monitor and improve information security as part of a continuous process.
Certification is certainly the “icing on the cake”, but can also be targeted at a later date. In any case, it first makes sense to set up the system in accordance with the applicable requirements in order to gain a competitive advantage.
With our soon to be accredited company ePrivacycert GmbH, we will then be able to offer the ISO 27001 seal and carry out these certifications for you.
For further information, please do not hesitate to contact us at any time.

Your contact to ePrivacy: