The ISO world and the ISMS

null

In this article we will introduce you to the world of information security and explain what ISO means.

What is an information security management system?

An information security management system (ISMS) establishes rules and methods to ensure, verify and continuously improve information security in an organization. In other words the ISMS is a kind of manual that enables employees to handle information securely in the workplace. And the ISMS enables threats and opportunities related to critical information to be identified and action to be taken. Today companies are expected to maintain high standards for information security. This has led to greater interest in an ISMS. In general an ISMS is important for any company - regardless of industry or size. It is useful for companies in terms of:

  • Confidentiality - Only the recipients can access and use the data as they have been specifically permitted to do.

  • Integrity - Data is error-free, not tampered with and is kept in a secure location.

  • Availability - Authorized individuals can more easily access and use the information.

What is information security?

Information security is often used interchangeably with IT security. However, this is not entirely accurate, as information security encompasses everything that protects an organization's information assets from threats (e.g., cyberattacks, sabotage, espionage, etc.) and the resulting damage. This also includes organizational concerns such as access authorizations and responsibilities. Legal regulations such as the GDPR require appropriate protection measures for sensitive information which may be in electronic, written or printed form.

Information security is not the sole responsibility of the IT department but must be implemented in all areas of the company.

What are the goals of the ISMS in the company?

An information management system plays an important role in the growth of a company. The following benefits result from it:

  • New business opportunities - Information security is inevitable for many companies. Business partners expect best practices in this area.

  • Competitive advantages - The value of the organization increases because only an ISMS provides an accurate view of a company's processes and data.

  • Better cyber resilience - Companies can defend against cyber attacks, limit the damage and maintain operations despite an attack.

  • Systematic information collection - The ISMS is the central point for protecting and managing all information in the enterprise.

  • Adaptation to security threats - An ISMS keeps pace with external and internal changes. This minimizes threats from new risks.

  • Improved corporate culture - An ISMS encompasses all areas of the company, making it easier for employees to recognize threats and integrate appropriate security measures into their daily work.

  • Reduced information security costs - ISMS-based risk assessments and analysis save organizations money by eliminating the need to invest in unnecessary defensive technologies.

What does ISO mean?

ISO was founded in Switzerland in 1947 as the International Organization for Standardization. It ensures uniform standards for products and services worldwide and has published more than 24,000 standards since its founding. It is an international umbrella organization for the national standards bodies of a total of 161 countries and is headquartered in Geneva.

ISO develops a number of standards in collaboration with other international standards organizations, such as the International Electrotechnical Commission (IEC). The titles of these standards indicate the organizations involved and the date of issue. The correct titles of the original English versions of ISO 27001 and ISO 27701 are "ISO/IEC 27001:2013-10" and "ISO/IEC 27701:2019-08." The currently valid German-language versions are DIN EN ISO/IEC 27001:2017-06 and DIN EN ISO/IEC 27701:2021-07. For better readability, only ISO 27001 and ISO 27701 are referred to in the text.

ISO standards also include DIN standards, which are better known to most. The DIN standard is a standard developed under the direction of working committees of the German Foundation for Standardization.

The ISO 27xxx series

The ISO 27000 series is the internationally recognized standard for information security in companies and organizations. The focus is on information security within the framework of the ISMS. In particular, the series describes the planning, implementation, operation and optimization of an ISMS.

ISO 27001 - Information Security Standard

ISO 27001 is part of the ISMS series of standards and enables organizations (regardless of industry or size) to have an effective and reliable information management system. It is the reason ISMS exists in the first place because its central element is the development and maintenance of an ISMS. It involves establishing a set of information security controls that organizations should eventually implement. This is based on a risk assessment and the requirements of the parties involved. According to ISO 27001, an information security management system is the preferred method for mitigating information security risks.

It is also the standard of the series that can be certified. Certification can be done, for example, by TÜV Austria as part of an audit. Certification strengthens the confidence of business partners and thus contributes to the expansion of business opportunities.

ISO 27002 - Guide to information security

ISO 27002 is an international standard that contains recommendations in the form of guidelines for various information security measures. The standard refers to Annex A of ISO 27001 and therefore describes the so-called controls for practical implementation and provides guidance on how to meet the requirements. A certification to ISO 27002 is not possible because the standard is a collection of suggestions and not requirements. ISMS certification is only possible if the requirements of ISO 27001 are met.

ISO 27701 Standard for data protection management systems

ISO 27701 is an extension of ISO 27001 and ISO 27002 to include data protection and certification can only be achieved in conjunction with ISO 27001. Therefore, ISO 27701 always requires compliance with the requirements of ISO 27701, which specifies how data privacy and information security measures can be linked to achieve the establishment, implementation, maintenance and continuous improvement of a privacy information management system (PIMS).

ISO 27701 helps demonstrate compliance with data protection regulations worldwide. The standard is largely based on the GDPR but repeatedly explicitly requires in-country compliance. In contrast to ISO 27001, ISO 27701 speaks of "information and data protection" and not just "information". This is intended to take into account not only information security but also the privacy of individuals who may be affected by the processing of personal data. More information about ISO 27701 can be found here.

Common Features of ISO 27001 and ISO 27701

The ISO 27001 and ISO 27701 standards define the requirements that an organization's management system must meet. Only the focus areas - information security in ISO 27001 and data protection in ISO 27701 - are different. Both standards require that the management system be continuously improved. This is also known as the PDCA cycle, with the phases Plan, Do, Check and Act. ISO 27001 and ISO 27701 differ only in the chapters in which the relevant steps are described.

PDCA Zyklus (1).png

Due to their common structure, management systems must fulfill the requirements regardless of their thematic focus. Synergy effects can be exploited here. If a company already has an ISO 27001-compliant ISMS, many processes only need to be expanded and not rebuilt. In addition, resources (e.g., training tools, etc.) can be shared.

Is an ISO 27001 ISMS compliant with the GDPR?

An ISMS is not necessarily GDPR compliant. This is because data protection and information security have two completely different starting points. Data protection laws like the GDPR aim to protect the people behind the data. The purpose of information security, on the other hand, is to protect companies and organizations from certain risks.

Nevertheless, there is some overlap between the two approaches. The General Data Protection Regulation and also ISO 27001 require the implementation of technical and organizational measures. If, for example, a cyber attack occurs in which large amounts of data are compromised, both approaches are relevant. It is not only in the interest of data protection, but also of information security to prevent such an incident. Good cooperation between the data protection officer (DPO) and the chief information security officer (CISO) - or the information security officer of an organization - would be beneficial in this regard.

Information security and data protection is important to you? Contact us, during a free initial appointment we will analyze your needs together.

Support Glasskube
By leaving us a Star on GitHub
Star us
Glasskube Newsletter

Sign-Up to get the latest product updates and release notes!

Our solutions for reliable
and scalable infrastructure.

Easily and scale your IT infrastructure while deploying applications quickly and securely with our cloud native technology solutions.

Outdated software or technical debt?

Turn on autopilot