Meeting legal requirements for corporate IT
Standards create trust.
That's even more true for IT security in the company.
ISO 27001, an internationally recognized standard, has been in existence since 2005. It lets companies demonstrate not only high standards of information security, but also the implementation of specific basic IT protection measures.
Audits – ISO 27001 certification
The ISMS audit process according to ISO 27001
ISMS defines two types of audits:
internal audits to verify the functionality of the ISMS and testing the ISMS itself by means of an audit carried out by a testing organization.
Internal audits should have a more or less similar structure, so that the two types of audits are comparable. Furthermore, the internal audits must be carried out every year and serve as a basis for the audit carried out by the testing organization.
Pre-audits prior to the ISMS audit of an external testing organization mirror the audit of the inspection body and should give an impression of how the potential audit will go. The setup and measurement of effort are carried out according to ISO 19011 (Guidelines for auditing management systems) and ISO 27001.
We support you in the preparation, monitoring, and follow-up of audits.
ISO 27001-compliant Information Security Management System (ISMS)
Consulting, implementation, audit support, and follow-up
ISO 27001 is the leading international standard for evaluating the security of information and IT environments. The core requirement of the ISO 27001 standard and the basic prerequisite for certification is the introduction of an information security management system, or ISMS. ISO 27001 specifies the requirements for the implementation and documentation of an ISMS. Accordingly, the ISMS defines rules and methods not to only ensure information security, but also to optimize it.
Companies benefit from this in several ways:
- Legal requirements such as compliance regulations are met
- Stakeholder confidence is strengthened;
- Audits are simplified;
- Greater security and performance of IT systems are achieved
With regard to Critical Infrastructure Operators (KRITIS), there is no explicit requirement for the introduction of an ISMS, but KRITIS companies must provide evidence of information security every two years in the form of security audits or certifications. The introduction of an ISO 27001-compliant ISMS is currently the best answer to this question; for electricity and gas network operators, an ISMS is now mandatory in accordance with the German IT Security Act.
We advise, implement, and support you in the introduction and certification of the ISMS.
Data protection and compliance
Data protection in accordance with the new GDPR
The new GDPR increases the requirements for companies to protect personal data. In particular, technical measures must be taken by companies to satisfy the new monitoring and accountability obligations.
Some of the EU requirements are as follows:
- § Reversal of burden of proof
In the future, companies will not only have to comply with the requirements, but also prove that they do so and have done so in the past.
- § Responsibility for data
It must be ensured that data is only processed on the instructions of the data controller.
- § Protection of personal data
The law requires the minimization and the best possible protection of data.
- § Processing by qualified personnel
Personal data may only be processed by qualified personnel.
The term "compliance" covers the fulfillment of all legal regulations and internal company commitments. Evidence of compliance (pursuant to GDPR, German IT Security Act, ISO, KRITIS, the German Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, BAIT), the German Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT, VAIT), PCI DSS) requires compliance with and monitoring of specified technical and organizational procedures.
We advise you on how to > define and implement suitable IT security measures so that you not only comply with legal requirements, but can also prove it at any time.