Meeting legal requirements for corporate IT

Standards create trust.

That's even more true for IT security in the company.

ISO 27001, an internationally recognized standard, has been in existence since 2005. It lets companies demonstrate not only high standards of information security, but also the implementation of specific basic IT protection measures.

Audits – ISO 27001 certification

The ISMS audit process according to ISO 27001

The ISMS audit process according to ISO 27001

 

 

 

ISMS defines two types of audits:

internal audits to verify the functionality of the ISMS and testing the ISMS itself by means of an audit carried out by a testing organization.

Internal audits should have a more or less similar structure, so that the two types of audits are comparable. Furthermore, the internal audits must be carried out every year and serve as a basis for the audit carried out by the testing organization.

Pre-audits prior to the ISMS audit of an external testing organization mirror the audit of the inspection body and should give an impression of how the potential audit will go. The setup and measurement of effort are carried out according to ISO 19011 (Guidelines for auditing management systems) and ISO 27001.

We support you in the preparation, monitoring, and follow-up of audits.

 

ISO 27001-compliant Information Security Management System (ISMS)

Consulting, implementation, audit support, and follow-up

ISO 27001 is the leading international standard for evaluating the security of information and IT environments. The core requirement of the ISO 27001 standard and the basic prerequisite for certification is the introduction of an information security management system, or ISMS. ISO 27001 specifies the requirements for the implementation and documentation of an ISMS. Accordingly, the ISMS defines rules and methods not to only ensure information security, but also to optimize it.

Companies benefit from this in several ways:

  • Legal requirements such as compliance regulations are met
  • Stakeholder confidence is strengthened;
  • Audits are simplified;
  • Greater security and performance of IT systems are achieved

Critical Infrastructure Operators

With regard to Critical Infrastructure Operators (KRITIS), there is no explicit requirement for the introduction of an ISMS, but KRITIS companies must provide evidence of information security every two years in the form of security audits or certifications. The introduction of an ISO 27001-compliant ISMS is currently the best answer to this question; for electricity and gas network operators, an ISMS is now mandatory in accordance with the German IT Security Act.

We advise, implement, and support you in the introduction and certification of the ISMS.

Data protection and compliance

Data protection in accordance with the new GDPR

The new GDPR increases the requirements for companies to protect personal data. In particular, technical measures must be taken by companies to satisfy the new monitoring and accountability obligations.

Some of the EU requirements are as follows:

  • § Reversal of burden of proof
    In the future, companies will not only have to comply with the requirements, but also prove that they do so and have done so in the past.
  • § Responsibility for data
    It must be ensured that data is only processed on the instructions of the data controller.
  • § Protection of personal data
    The law requires the minimization and the best possible protection of data.
  • § Processing by qualified personnel
    Personal data may only be processed by qualified personnel.

Compliance

The term "compliance" covers the fulfillment of all legal regulations and internal company commitments. Evidence of compliance (pursuant to GDPR, German IT Security Act, ISO, KRITIS, the German Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, BAIT), the German Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT, VAIT), PCI DSS) requires compliance with and monitoring of specified technical and organizational procedures.

We advise you on how to > define and implement suitable IT security measures so that you not only comply with legal requirements, but can also prove it at any time.

 

Allianz_Teilnehmer BSI

Award-winning security know-how

Security consultants from Consist can keep up on an international scale. Not only were they the 2017 winners of the "Boss of the SoC", in 2018 they once again ranked among the top of more than 700 participants in this international IT security competition. This experience goes into our practice every day, as confirmed by our numerous successful projects in the area of security.

Our customers appreciate the implementation of the security requirements resulting from compliance requirements, such as BaFin and the associated very custom integration of proprietary systems that until now have been very difficult to monitor.

Your contact

Asmus Hammer

Asmus Hammer

Sales Manager Projects

phone: +49 431 3993-637

mobile: +49 172 6816706

e-mail: hammer@consist.de