Argana Consulting GmbH 
Let's rather talk about how to solve the problems.

Technical and Organisational Measures (TOM)

The technical and organisational measures (TOM) are a central component of the ISO/IEC 27000 series, the international standard for information security management. The TOMs are concrete instructions for implementing security measures and are intended to help ensure the security of information and IT systems. These measures are central to the establishment and maintenance of an information security management system (ISMS) in accordance with ISO/IEC 27000.

These measures cover all important aspects of information security, from access control and physical security to network security, emergency management and compliance.

Some examples of technical and organisational measures (TOM) are:

  • Guidelines for the creation, approval and communication of information security guidelines within the organisation. Ensuring that the guidelines are regularly reviewed and updated as necessary to meet current threats and business requirements.
  • Defining and assigning responsibilities for information security within the organisation and setting up committees or bodies responsible for coordinating and managing information security.
  • Identify and classify all information assets to determine their protection needs and implement measures to protect information assets according to their classification.
  • Establish least privilege access policies and implement strong authentication methods such as passwords, tokens or biometrics.
  • Ensure that only authorised users have access to IT systems and data and that access rights are regularly reviewed and updated.
  • Use encryption to ensure the confidentiality and integrity of sensitive information and establish an effective key management system to ensure the security of cryptographic keys.
  • Implement security mechanisms such as firewalls, intrusion detection and prevention systems and regular security reviews.
  • Protect data through encryption, backup and recovery procedures and implement measures for data backup and destruction.
  • Preparation for and response to security incidents, including the implementation of plans and procedures for responding to security incidents.
  • Ensuring that security requirements are included in contracts with suppliers and service providers, and regular review and assessment of suppliers' security practices.
  • Development of business continuity plans in the event of security incidents or disasters, and implementation of strategies for the rapid recovery of critical IT systems and processes following a failure.
  • Compliance with legal, regulatory and contractual requirements and ensuring that all relevant legal, regulatory and contractual requirements relating to information security are met.
  • Regular internal audits to verify compliance with information security requirements and ensure continuous improvement.
  • Training and awareness-raising of employees in information security to minimise the risk of human error and security breaches.

 

The technical and organisational measures (TOM) are an important part of a comprehensive information security management system (ISMS) and should be regularly reviewed and updated to ensure that they meet current requirements and threats. The implementation of TOM can also help to ensure compliance with legal and regulatory requirements in the field of information security.