Especially in the current time of crisis, it is evident which companies are well prepared for emergency situations and which are not. In some critical infrastructure sectors, things like emergency plans, security concepts and information security management systems (ISMS) are required by law and are also regularly reviewed. For energy suppliers this is regulated in the Energy Industry Act and in detail in the IT Security Catalogue, for telecommunication companies this is stated in the Telecommunications Act. In both cases, proof of compliance can be provided by an accredited certification according to ISO 27001, in some cases this is even required by German law. In addition, other industries have an increasing demand for certifications in existing supply chains. In some cases even orders and business relationships are made dependent on it. Especially in the current situation, consultants, auditors and certifiers are noticing an increased demand.
However, ISO27001 certification is a project that cannot be completed in a few days or weeks. Although it depends on the organization of the company and the corresponding documentation, the process of creating and implementing an ISMS until certification usually takes about one year, depending on the use of internal resources. It is helpful if the company is already familiar with management systems and, for example, is already certified according to ISO 9001. Also introduced and lived procedures in the area of data protection and IT security are helpful and can be incorporated into an ISMS.
What is the best way to proceed if you want to introduce an ISMS and have an ISO 27001 certification?
Experience has shown that in most cases it makes sense to have a good consultant in the field of information security who accompanies and controls the project. In any case, a project manager and, depending on the size of the company, a project team must be appointed on the company side. With a good cooperation between both sides such a project can be managed well. Furthermore, the management has to provide sufficient resources in finances, personnel and time.
The second important person is the lead auditor, who will later approve the system. It has been shown that it is of great advantage if consultant and auditor know each other and have already supervised several projects together. This ensures that the consultant has the same view as the auditor of processes and documentation and that he or she does not miss the point. Once a consultant and an auditor have been chosen, the certifier is chosen. Good auditors usually work for several certification bodies, so that a selection is still possible. In the past it has often been shown that one should not choose a certifier first. Because then you often get an auditor you do not know and who has a different focus than the consultant. This should not be the case, but unfortunately it happens too often. The result is in the simplest case an upset, but in the worst case high additional effort, additional costs or even a negative audit.
If an ISO27001 certification is to be achieved, it is recommended to first carry out a gap analysis to determine the status. Then the scope of certification is determined and offers for consulting, audit and certification can be obtained. The project is started after the offer is accepted. The usual methods of modern project management are used, starting with a kick-off, a project structure, milestones and efficient project control.
If there is interest in the development of an ISMS and/or its certification according to ISO 27001, ePrivacy and useConsult are the ideal partners. Both have decades of experience in the fields of data protection, IT security and certification of ISMS and have been working together for a long time.
ePrivacy: Christoph Bauer has worked for >25 years in the media as CFO and COO in well-known companies such as Bertelsmann and AOL, most recently as CFO/COO of wunderloop. wunderloop achieved the ULD- and the EuroPriSe-Seal for exemplary compliance with German and European data protection under his direction. Christoph Bauer works for industry organizations in working groups and in the field of data protection. He has been accredited as data protection evaluator (BDSG old version) at the Regional Data Protection Centre Kiel (ULD) for privacy seals and accredited auditor for ISO 27001/information security management and teaches as a professor at the HSBA (Hamburg School of Business Administration).
useConsult: Geschäftsführer Dr. Reinhold Scheffel, Diplom-Physiker. Experience over 35 years in the field of IT security, telecommunications and certification. Activities in TÜV Rheinland and TÜV Saarland. In each case development of the fields of IT security, telecommunication and certification of management systems. At the Federal Network Agency accredited expert and publicly appointed and sworn expert. Lead auditor for ISO 27001, consultant and coach in many successful certification projects.
Both companies have been working with reputable accredited certification companies for a long time and know the responsible auditors personally from many projects. This cooperation ultimately guarantees the success of a certification project.