Information security management system

from Wikipedia, the free encyclopedia

An Information Security Management System ( ISMS , English for "Management System for Information Security") is the establishment of procedures and rules within an organization that serve to permanently define, control, monitor, maintain and continuously improve information security.

The term is defined in the ISO / IEC 27002 standard. ISO / IEC 27001 defines an ISMS. The German part of this standardization work is supervised by DIN NIA-01-27 IT security procedure.

Certification

Depending on the industry and the law, an organization must operate a certified ISMS - often with an annual external audit. In addition to certification directly to the ISO / IEC 27000 series, there are three typical variants in Germany:

ISO / IEC 27001 certificate based on IT-Grundschutz

The Federal Office for Information Security (BSI) brought out the IT-Grundschutz 2006, a concept for the implementation of an information security management system (ISMS). The IT Baseline Protection, with its three standards 200-1, 200-2 and 200-3 in combination with the IT Baseline Protection catalogs (until 2006 IT Baseline Protection Manual called) assistance in establishing and maintaining an ISMS. The IT-Grundschutz Catalogs have been adapted to the international standard ISO / IEC 27001 since 2006 . This system is a quasi-standard in German authorities.

The BSI attaches particular importance to the three areas of confidentiality , integrity and availability of information.

Information security management system in 12 steps (ISIS12)

ISMS according to ISO / IEC 27001 or the BSI's IT-Grundschutz Catalogs often pose major hurdles for medium-sized companies (SMEs) for various reasons , especially if they are not active in the IT sector. Experience has shown that difficulties arise, among other things, in being able to assign sufficiently trained staff to the mostly small IT departments. Furthermore, the risk analysis required by the ISO / IEC 27001 standard and the selection of specific measures present many companies with unsolvable tasks in reality. The so-called "Network for Information Security in Medium-Sized Enterprises (NIM)" (members including Bavarian IT Security Cluster, University and University of Regensburg) therefore developed a scientifically based model for the introduction of an ISMS in 12 concrete forms - derived from IT-Grundschutz and ISO / IEC 27001 Steps. It was important to ensure that not every threat scenario is covered, but that the company is given clear instructions for action to a limited extent, with an integrated introductory concept and in understandable language.

VdS guidelines 10000 (VdS 10000)

The guidelines "VdS 10000 - Information Security Management System for Small and Medium-Sized Enterprises (SMEs)" from VdS Schadenverhütung GmbH contain guidelines and assistance for the implementation of an information security management system as well as specific measures for the organizational and technical protection of IT infrastructures. They are specially designed for SMEs as well as for small and medium-sized institutions and authorities. The aim of VdS 10000 is to define an appropriate level of protection for small and medium-sized companies and organizations, which can be implemented with the least possible effort. The VdS 10000 is the successor to the VdS 3473.

General approaches

In practice, the characteristics and goals of an ISMS can be defined as follows:

  1. Anchoring in the organization: The responsibilities and authorities for the information security process are clearly and consistently assigned by the top management. In particular, an employee is appointed who is fully responsible for the information security management system (usually the information security officer or ISB for short).
  2. Binding goals: The goals to be achieved through the information security process are specified by top management.
  3. Guidelines: adopting security policies ( security policy ) that define the safe use of the IT infrastructure and the information by the top management.
  4. Personnel management: Information security requirements are taken into account when recruiting, training, terminating or changing the position of employees.
  5. Up-to-date knowledge: It is ensured that the company has up-to-date knowledge with regard to information security.
  6. Qualification and further training: It is ensured that the staff understands their responsibilities and that they are suitable and qualified for their tasks.
  7. Adaptive security: The desired level of information security is defined, implemented and continuously adapted to current needs and the risk situation ( continuous improvement process ).
  8. Preparation: The company is prepared for faults, failures and security incidents in electronic data processing.

Information security and data protection

The information security officer (ISB) and data protection officer (DPO) sometimes have overlapping responsibilities, but must be performed separately in terms of personnel. With the new ISO / IEC 27701 standard, the classic information security management system has been expanded to include data protection aspects, so that both officers can work together on the same set of documents.

Web links

Individual evidence

  1. ZDNet article from November 7, 2011
  2. ISI12 network members ( Memento of the original from March 13, 2013 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2Template: Webachiv / IABot / www.isis12.de
  3. Information security management system for small and medium-sized enterprises (SMEs) (PDF; 275K)
  4. ^ Sebastian Krüsmann: Neighborly connected . In: iX . No. 7 , 2020, p. 54–59 ( heise.de [accessed on August 9, 2020] Status 2020-08-09: Due to a heise bug, no single item purchase link is currently available).