Munich -The topic of information security should not be underestimated, given the essential role played by data protection and data availability in the success or failure of enterprises. The majority of the actions, roles and responsibilities involved fall to the management team and must be appropriately planned aand controlled. The experts at TÜV SÜD provide tips for implementing an information security management system and give information on aspects that are critical for success.
• Scope: In the first step, the scope and limits of the information security management system are defined.
• Information security policy: The next step is to establish an information security policy within the company, which needs to be backed by the management team. The policy sets forth long-term and binding details of security-related goals and targets, strategies, roles and responsibilities, and actions. Companies must draw up their own individual definitions for the degree of security they require.
• Information assets: The third step involves defining and categorising key information assets. These may include technical systems, information, documents and even individual employees. The actions concerned depend on the classification of the assets as confidential, strictly confidential etc.
• Risks: Depending on the framework conditions and location of the company, there are various risks that must be identified. They may span flooding, earthquake, fire, cyber-attacks, failure of refrigeration equipment and so on. Depending on the seriousness of the risks identified, they must then be assessed and deemed either as acceptable or calling for further action.
• Security measures: Finally, appropriate security measures must be established. Guidance is provided by Annex A of the ISO 27001 standard, which lists examples of measures including access control, protection against malware, information backup and assignment of responsibilities.
Critical success factors
• Business objectives: All aspects related to information security – from provisions to targets, goals and actions – must be connected with, and aligned to, the business objectives and corporate goals of the enterprise; information security must not be an end in itself, but must serve corporate goals.
• Corporate culture: Procedures and procedure models must be aligned to the corporate culture if they are to run smoothly. • Management agreement: All measures and regulations governing information security require the full agreement and support of management throughout every level of the hierarchy.
• Risk assessment: As all those involved need to have a good understanding of risk assessment and risk management, comprehensive training courses are advisable. An initial risk assessment at a lower level of detail can be a useful first step to get the process started, and can then be progressively elaborated.
• Information security policy: Familiarity with security policy is essential; managers, employees and external team members therefore require regular training in this area.
• Problem awareness: Employee training should be designed to establish a reasonable level of problem awareness.
• Budget: Realistic cost plans must be drawn up to ensure adequate budget provisions are available for activities and measures related to information security.
• Processes for the event of critical incidents: In a worst-case scenario such as a cyber-attack or failure of refrigeration equipment, a clearly defined process must be in place, including all roles and responsibilities and precise requirements.
• System of performance indicators: A system of performance indicators is a useful method of managing and controlling the efficiency and continuous improvement of the information security management system.