ISO 27001 - a defensive shield against digital attacks
Hacker attacks, misuse of data or the paralysis of entire operating structures can be the result if companies are not adequately protected against digital threats. ISO 27001 certification plays a central role in the IT security of companies of all sizes. HITGuard in particular can provide significant support on the way to this security level.
Contents
- ISO 27001 - a defensive shield against digital attacks
- Standard as a basic requirement for information security
- Positive impact on image
- For whom is ISO 27001 particularly important?
- ISO 27001, BSI IT-Grundschutz, EN 50600 and TISAX - how these standards and norms are interlinked
- The path to ISO certification
- HITGuard as a trusted partner on the way to ISO 27001
Standard as a basic requirement for information security
The ISO 27001 standard is the starting point for an information security management system in companies to ensure the best possible technical and procedural protection against external attacks. However, business partners can also demand proof of ISO 27001 certification. The advantages of ISO 27001 for companies clearly outweigh the disadvantages. The standard helps to ensure that:
- ... threats are recognized and reduced in good time
- ... the IT protection goals of confidentiality, availability and integrity are taken into account
- ... the actual operational situation is evaluated and, if necessary, optimized or adapted to the target situation. This significantly improves internal processes.
- ... the standard is applied in practice within the company and integrated into everyday working life. However, the prerequisite for this is that responsibility lies with the management and that training and audits take place.
Positive impact on image
If such a certificate is available, this can have a positive effect on the company's image. Otherwise - if company data is stolen through hacker attacks or IT processes are compromised - there is a risk of financial damage, loss of customer trust and advantages for competitors.
For whom is ISO 27001 particularly important?
ISO 27001 security certification is recommended for every company to ensure the best possible protection against data theft or hacker attacks. For some companies, this type of security measure is required by law. In particular, organizations that belong to the critical infrastructures (KRITIS) should strive for certification with the ISO 27001 standard.
If hacker attacks or data misuse occur in such organizations, this can have devastating consequences for the health, safety and economic and social prosperity of the population. In Germany, KRITIS are therefore obliged to report any IT security incidents to the Federal Office for Information Security (BSI) immediately. In Austria, the report must be submitted to the Federal Ministry of the Interior (BMI).
ISO 27001, BSI IT-Grundschutz, EN 50600 and TISAX - how these standards and norms are interlinked
ISO 27001 is not the only standard in information security management. It interacts with other standards or can also be implemented as an alternative to other standards.
Certification according to BSI IT-Grundschutz vs. ISO 27001
Many companies ask themselves the question: should we be certified according to ISO 27001 or BSI IT-Grundschutz?
Both are suitable for setting up information security management systems. However, they differ in their approach. ISO 27001 is strongly oriented towards business processes and offers companies a great deal of freedom in its implementation. BSI IT-Grundschutz, on the other hand, is more technically oriented. It describes very specifically and in detail how to proceed.
Automotive industry - between TISAX and ISO 27001
Some industries are faced with additional challenges in addition to the ISO 27001 or BSI IT-Grundschutz decision. The TISAX (Trusted Information Security Assessment Exchange) standard is responsible for the security of information in the automotive industry. ISO 27001 is also directly related to TISAX - but the main difference lies in the scope of application. The TISAX standard specializes even more on the security requirements in the automotive sector and strongly involves the company partners in the IT sector. Data protection and prototype protection are considered a key topic.
TISAX is based on ISO 27001 in terms of scope, assessment process and maturity levels - albeit with some differences. While the scope of ISO 27001 gives the company a degree of self-determination, TISAX defines a standard and all employees who work with sensitive data are represented.
EN 50600 is used for data centers
The ISO 27001 standard is linked to other standards. One of these is DIN EN 50600, which specifies how the planning, construction and operation of a data center should look. Whether construction, electrical supply, air conditioning or the cabling and security systems of a data center - all of this is regulated in DIN EN 50600. It is also the first Europe-wide standard for data centers. ISO 27001, which is not applied at the physical level, but specifically at the organizational and process level, is equally influential.
The path to ISO certification
In order to certify your company in accordance with ISO 27001, you have to go through several stages of certification. The steps involved usually take between three and five weeks until final certification.
First information
The objectives, benefits and basic requirements for certification are clarified for the company at the start of the process. The scope of the certification is also defined.
Start of the certification process
The certification process is started together with the responsible auditor.
Level 1 Audit:
In a first audit, the general certifiability is determined, which is a prerequisite for the stage 2 audit. This audit is usually carried out by the lead auditor on site and, in exceptional cases, can also take place as a pure document audit. This may already reveal weaknesses in the documentation and the system.
Stage 2 Audit:
This is the actual audit, which is carried out by a team of auditors. It determines the conformity and effectiveness of the management system. Spot checks in all organizational units should provide information on whether the requirements have been met. Once the results are available and subsequently evaluated, any deficiencies are disclosed by the auditors. Depending on the severity of the deviations identified, these can lead to the certificate being refused or to the company being requested to make improvements within the specified period. Fortunately, this occurs less frequently in practice. However, information is often provided by the auditors in the form of recommendations for improvement. These are then dealt with by the company in the following year.
Issue of the certificate
Once the documentation and implementation of the management system as well as the audit have been successfully completed, certification with ISO 27001 can be completed. In principle, the security standard is valid for three years. An annual surveillance audit must be carried out in order to maintain validity. The effectiveness and further development of the management system are randomly checked here.
After expiry of validity
In order to remain certified and, above all, protected after the three years, it is necessary for companies to carry out a recertification audit. This takes place after the expiry date. Here too, all requirements are randomly checked. If the results are positive, the certificate can be reissued for another three years - with annual reviews.
If companies wish, they can also have a pre-audit carried out by certifiers. This checks the certification eligibility in advance, but is not mandatory for the basic security certification.
HITGuard as a trusted partner on the way to ISO 27001
HITGuard offers a guide to support certification with the ISO 27001 standard.
Experts and knowledge databases
HITGuard provides support with its own knowledge databases, in which the know-how of experts on the path to certification has been collected. HITGuard also offers templates for certification with regard to guidelines and process descriptions.
Critical systems and vulnerabilities are identified
The structure of your company and IT landscape can be easily created with the help of import options and graphical editors. The protection requirements analysis in HITGuard then helps to determine where the "critical IT services" and the most sensitive information are stored or need to be protected. Based on vulnerability analysis using knowledge databases, companies can easily determine compliance - against ISO 27001 as well as Annex A or other supporting standards and norms.
The ability to derive measures in the course of the analyses and initiate their implementation immediately helps to resolve any problems as quickly as possible. The control system that HITGuard also offers ensures a sustainable solution to issues over the years.
The "Statement of Applicability" is also relevant for certification - this can be maintained by HITGuard and created as a report.
Request a non-binding demo now
Find out what the GRC software HITGuard can do for you
Learn more about other modules of HITGuard!
Where, among other things, HITGuard is already proving its worth
Construction industry
approx. 20,000 employees
Auditor
approx. 700 employees
Health service
approx. 18,000 employees
IT Security Solutions
approx. 100 employees
IT Security Solutions
approx. 100 employees
Software House
approx. 400 employees
Event Management
approx. 500 employees
Hospital Operators
approx. 1,600 employees
approx. 6,000 employees
IT Service Providers
approx. 40 employees
Is your industry not listed? Do you need more information? We would be happy to put together individual reference examples for you – please contact us.