Do you need a Information Security Management System (ISMS)?
We are happy to help
For years, incidents and reports from BKA, BSI, World Economic Forum, insurance companies or cybersecurity providers have made it clear that Cyber attacks are on the rise and are perceived as a serious threat. Yet, many organizations struggle with information security.
We have been working in information security since the 1970s and have shaped parts of the BSI IT-Grundschutz standard (BSI 100/200-1 to 200-3) through our experts. Our team of consultants, data protection officers, pentesters and auditors supports you in all aspects of an ISMS. Because of our working for public sector and commercial clients we always develop your ISMS in the most practical manner.
What is an ISMS
An information security management system (ISMS) defines procedures and rules to control, monitor and continuously optimize information security actvities. The aim is to ensure confidentiality, integrity and availability in accordance with the CIA principle and the resilience of your organization.
After the implementation has taken place, an additional audit can be carried out. Organizations can choose between ISO 27001 (“native”) and ISO 27001 based on the BSI IT-Grundschutz standard. Regardless of the standard, such an ISMS is the subject of an ISO 27001 certification. In addition, there may be other standards such as Payment Card Industry Data Security Standard (PCI-DSS) or laws such as the Data Protection Basic Regulation (DSGVO, § 32 para. 1), which also place requirements on your information security activities. An ISMS helps you to meet many these requirements. You will begin with a gap and risk analysis of your organization.
Advanatges of an ISMS
- Reduce the risk and costs of incidents
- Ensuring compliance
- Protecting reputation
- Transparent security processes
- Transparent risks
- Continuous improvement
The security measures you take for your organization depend on your needs, requirements and risk preferences. You determine the basic information security level. Therefore, an ISMS does not automatically result in a higher Cybersecurity of your organization especially if you set your information security level too low or your organization does not follow information security practices at ll levels on a daily basis. ISO 2700x or basic BSI IT-Grundschutz will also not provide you with clear recommendations for technical solutions or a Cybersecurity return on investment (“ROI”). This needs to be done through separate IT security concepts and calculations.
Depending on the size of your organization and the chosen standards, implementing and operationalizing an ISMS can quickly become a complex undertaking. In such cases we recommend to use an ISMS GRC software tool to support your activities and provide you with the necessary transparency. Originally developed in the 90’s to support the work of our Cybersecurity consultants, our SAVe ISMS GRC software combines decades of experience working in information security with future risk- and compliance requirements.