Introduction of Information Security Management Systems

Given that information is of huge value to companies of all sizes and in all lines of business, it needs to be properly protected. Inadequate protection of information critical to business can lead to situations where a company‘s existence is under threat. With company business processes and information flows relying increasingly on IT-based processing, a significant proportion of potential protective measures aimed at reducing risk now centres on information technology. Globalisation is accelerated by information technology and is doubtless a factor in intensifying competition around resources, markets and political spheres of influence. This has led to company IT systems increasingly becoming the target of attackers.

Public and regulatory bodies have also recognised the significant risk factor presented to companies by the security and quality of business processes and information technology. They are now calling for adequate information security management in many areas. Recent IT security legislation represents a vital component for the improved safeguarding by operators of those IT infrastructures that are becoming increasingly indispensable. As part of revisions to the Energy Industry Act (EnWG), the Federal Network Agency is drawing up an IT security catalogue in accordance with § 11 section 1a of the EnWG, the core requirement being the introduction of information security management systems by energy providers in accordance with DIN ISO/IEC 27001. The Federal Financial Supervisory Authority (BaFin) Minimum Requirements for Risk Management (MaRisk) regarding IT security refer to the implementation of established standards. And now the financial authorities are also imposing specific requirements for the security of tax-related systems via its Principles for the correct keeping and storage of accounts, records and documents in electronic form and for data access (GoBD).

Adequate information security can be achieved even at relatively little expense. Information security covers all technical and organisational features aimed at maintaining the confidentiality, integrity and availability of information. With the right security concept, you can lay a solid foundation enough to ensure your information security is of a reliable standard.

Roever Broenner Susat Mazars is the ideal partner for implementing your information security management systems (ISMS). With our comprehensive expertise in the field of information security, we can help you assess and minimise risk at no great expense. To this end we have developed a compact risk analysis of existing information security concepts and measures for companies in accordance with the prevailing ISO/IEC 27001:2013 standard. This helps establish whether security levels common in a specific industry and the necessary degree of risk minimisation are being achieved.

Our ISO 27001 gap analysis represents not only a pragmatic approach to assessing the security of your companys information but also the first step towards an ISMS in accordance with ISO/IEC 27001. Our risk-oriented approach is guided by your companys specific security requirements. Completed in just a matter of days, it involves very little time and effort.

Our approach to an initial analysis of your companys information security involves talking to those in charge of the company, a visual inspection of existing security precautions, looking at documentation and analysing relevant data and system settings. In evaluating the results, we draw on our professional and technical industry-specific expertise gathered through countless consultancy and review projects before comparing the results with best practice and industry-specific benchmarks.

The gap analysis identifies vulnerabilities and sorts them into transparent categories of risk. A final assessment report then presents all the facts plus any identified shortcomings in detail. These are then evaluated before suitable recommendations and measures are documented and prioritised.

Our services at a glance

Analysis of security requirements and riskƒƒ Industry-specific benchmarkingƒƒ Gap analysis of ISMS status as per ISO 27001ƒƒ Consultation on introducing ISMS and preparation for certificationƒƒ Design and supervision of self-assessmentsƒƒ Developing information security guidelines and proceduresƒƒ Implementing measures as per ISO 27001 and IT baseline security set outby the Federal Office for Information Security (BSI)ƒƒ Preparing emergency management plansƒƒ Carrying out training and sensitisation measuresƒƒ Appointing an external information security officer (ISO)

  • Analysis of security requirements and riskƒƒ 
  • Industry-specific benchmarkingƒƒ 
  • Gap analysis of ISMS status as per ISO 27001ƒƒ 
  • Consultation on introducing ISMS and preparation for certificationƒƒ 
  • Design and supervision of self-assessmentsƒƒ 
  • Developing information security guidelines and proceduresƒƒ 
  • Implementing measures as per ISO 27001 and IT baseline security set outby the Federal Office for Information Security (BSI)ƒƒ 
  • Preparing emergency management plansƒƒ 
  • Carrying out training and sensitisation measuresƒƒ 
  • Appointing an external information security officer (ISO)

Downloads

Share