FAQ

Why do I need information security management?

Today, information represents the majority of a company's assets. It is vital for survival across all industries. Losing it usually means the end! A study by the University of Houston, Texas, showed that 50% of companies that suffered a total loss of data never recovered. 90% of them no longer existed after 2 years.

Isn't such a management system overkill for an SME?

The salient feature of ISO 27001:2013 is that everything you do to secure your information is based on an analysis of your business risks. You determine the level of security, decide on countermeasures to minimise the risks and decide what residual risk you can bear as an entrepreneur. This allows a very focussed use of resources to mitigate the top risks instead of implementing selective measures according to the watering can principle until the budget is exhausted. This saves money!

I handle my own and my customers' data very carefully. I guess that settles the issue!

No, because information security according to ISO 27001:2013 takes into account not only confidentiality, but also the availability and integrity of information. The weighting shifts depending on the industry and company. In the manufacturing industry, for example, availability is almost the highest priority. If you lose your production facility with the machines due to fire or water, this damage is usually covered by insurance and you can find a subcontractor to fulfil your orders. However, if the data is destroyed, you can no longer produce. Fire and water are almost always a very real threat.

I already have an ISO 9001 system. Does that fit together?

A management system in accordance with ISO 9001:2015 is not a prerequisite, but it is very helpful as you then have a process structure into which you can integrate the measures. Without such a management system, this is more time-consuming.

What are the benefits of a certification?

Show your customers and business partners! Show them that you are a long-term thinking, reliable partner and that you have your risks under control.  Experience also proves that a certified system is more sustainable than if the certificate and mechanisms such as management review, internal and external audits, corrective and improvement measures are the engine that keeps the system going.the number of certificates is increasing exponentially. A unique selling point today, it will be standard tomorrow and perhaps a must the day after tomorrow.

What do the ISO 27001 and ISO 27002 standards contain?

The ISO 27001 standard, which evolved from BS 7799-2, sets out the requirements for an information security management system (ISMS). It is divided into the following areas:

• Information security management system
• Management responsibility
• Internal audits
• Management review
• Improvement of the system

Every manager is familiar with these requirements from ISO 9001 and ISO 14001. They show that an information security management system can be seamlessly integrated into an existing management system. ISO 27002, which once emerged from BS 7799-1, does not prescribe a procedure, but does specify critical success factors and provides guidance on: security policy, management support, training, monitoring and continuous improvement, risk analysis, access control, security management and security management. Improvement, risk analysis, access control, system development and maintenance, and crisis management. With numerous 'good practices', it provides practitioners with valuable guidance.

Is this not just a topic for IT?

Of course, IT is playing an increasingly important role in the processing and storage of information. But information is also stored on paper, for example, or transmitted as spoken words. Have you ever wondered how freely travellers talk about their business, projects and customers on the train, where everyone can overhear? Raising employee awareness is also a key aspect of information security.