Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

Information security 

In a world of networking and information exchange between  people, computers, mobile and IoT devices with services that are scattered around the world, the protection of our personal data and identities is of very high value.

And if we now add critical information and data from  companies, we are in a world in which information security is of central importance to us all.



Implementing regulatory requirements from standards, laws, ordinances and guidelines in a company is now a major challenge for IT departments. The job profile of IT employees has expanded in terms of security and regulatory requirements with the move to distributed systems and international networks. 

A primary goal of information security is to ensure the three most important protection goals of confidentiality, integrity and availability when processing data, taking into account technical and non-technical systems. Information security serves to protect against dangers and threats and to avoid economic damage.



Where does the journey towards information security begin? It does not begin with technology or technologies, but with the information security management system (ISMS). This is where the requirements for the IT systems, applications and processes in the company are defined

One prerequisite for this is knowing which standards, laws, ordinances and guidelines apply to my company. Another prerequisite is a functioning risk management system, because only those who know their risks can respond to them appropriately.  

 

Information Security Management System (ISMS)

The development of an information security management system (ISMS) is characterised by three important measures – one organisational, one content-related and one methodological.

In organisational terms, the roles of the CISO (Chief Information Security Officer) and the DPO (Data Protection Officer) should be clearly and unambiguously defined in writing within the company. 

It is important to create content-related guidelines to ensure that no excessive or unnecessary bureaucracy arises and that the standards, laws and regulations applicable to the company are coordinated and defined. 

It must be methodically determined that activities for the development and recertification of documents in the ISMS are process-oriented and risk-oriented.

An Information Security Management System (ISMS) defines rules and methods for defining, managing, controlling, maintaining and continuously improving information security in a company.

An information security management system (ISMS) is not a one-off solution that can be set up and then left alone. The standards, laws and regulations are constantly being adapted and these have a direct impact on the company's information security management system (ISMS). New technologies are changing IT systems and require a rethink of the security strategy. Cyber attacks are constantly changing and to counter these threats, measures are needed to ensure the protection of data and IT systems.

One method for the continuous improvement process of an Information Security Management System (ISMS) is the Deming Cycle or PDCA Cycle.

 

 

Optimisation and improvement
reflecting processes
improvement measures
Budget and personnel planning

 

 

 


Monitoring and control        Implementation control
Operational monitoring
Efficiency/performance review
ICS documentation
Audits/assessments
Reporting and evaluation

 

 


 

Development of an ISMS
Requirements/environmental analysis
IT policy, guidelines, security objectives
Principles, policies
Risk management procedures
Concepts, guidelines and specifications

 

Implementation and operation
ISMS and risk management
Determining the need for protection
Processes and measures
Implementing requirements
Communication
Prevention, awareness, training

 


Organisation

In a traditional organisation, the ISB/CISO is seen as a staff position reporting directly to the management in order to maintain independence.

It is advisable to separate the role of the ISB/CISO from that of specialist departments such as the IT department, as the heads of departments are authorised to issue instructions in their capacity as managers and can therefore influence the guidelines and controls.


If an ISB/CISO takes on the management responsibility of a specialist department, a conflict of interest may arise. It is recommended that the ISB/CISO only be responsible for the management of his staff unit (IS management team) in order to avoid a conflict of interest.

A combined role of ISB/CISO with DSB/DPO should be viewed critically and questioned, as conflicts of interest could arise between the two roles.

In some companies, the role of ISB/CISO is filled by an external party. The challenge for the external variant is the contractual agreement.


Structure and organisation of a ISMS

The structure of the Information Security Management System (ISMS) depends on which standard (e.g. ISO/IEC 27000 series) is used. In the case of the ISO/IEC 27000 series (standards for information security), there are operationally necessary documents, mandatory documents and procedural instructions.

The structure and organisation of an information security management system (ISMS) is inevitably not the same in all companies, but depends on the industry sector and the associated standards, laws and regulations.




Two recommendations can be taken into account when creating an Information Security Management System (ISMS).

 

  • Keep it simple. Processes, guidelines, policies and concepts should be understandable and comprehensible to the employees in the company who are affected by them.
  • Create synergies with other management systems such as the DSMS data protection management system, RMS risk management system and CMS compliance management system. The wheel (processes, document storage, risk assessment, etc.) does not have to be reinvented several times in the company.