IT security: How to certify your ISMS 2019
What is an information security management system and what options exist as of 2019 to certify it?
Electronic data processing has become a vital requisite for any company to function effectively in 2019. In this context, secure storage and its processing is becoming an increasingly important and greater challenge. To master this, multiple organizations are implementing an Information Security Management System (ISMS) and having it certified. What is it all about and how does an ISMS certification 2019 work?
What is an information security management system (ISMS)?
An ISMS is a management system that defines various processes, methods, and rules to ensure and steadily improve the security of data processed in an organization. This relates to the definition of responsibilities, the training of employees on security-related topics, the continuous expansion of existing IT security knowledge, and the preparation for technical incidents in order to achieve the highest possible level of security in all situations.
According to which standards can an ISMS be certified?
As of 2019, the most common certification standard for information security management systems is ISO/IEC 27001, an international standard developed on the basis of the British standard BS 7799-2:2002 and first published in 2005. ISO 27001 defines requirements for establishing and operating an ISMS. In addition, certification to ISO 27001 requires an examination of company-specific information security risks. Another certification basis for ISMS in Germany as of 2019, is the so-called ‘IT-Grundschutz’ of the Federal Office for Information Security (BSI). With this certification variant, the organization must fulfill further requirements in addition to the requirements of ISO 27001, which are defined in the IT-Grundschutz catalogs of the BSI.
Is ISMS certification required by law?
As of 2019, no general obligation for organizations to certify an ISMS in Germany. However, the IT security catalog published by the Federal Network Agency (BNetzA) in August 2015 has required energy supply companies to present an ISO/IEC 27001 certificate since Jan. 31, 2018, in order to ensure secure network operations. For all other companies, ISMS certification can help them to safely comply with the provisions of the German Federal Data Protection Act (BDSG) or the relevant national data protection legislation. Other benefits include reducing liability risks (and thus insurance premiums) and IT costs, as well as increasing the trust of business partners and customers.
How do I find an ISMS certification body?
Depending on whether you opt for a "simple" certification according to ISO/IEC 27001 or for a certification according to ISO 27001 based on IT-Grundschutz, the requirements for the required certification body differ. In the latter case, the certification body must have auditors certified by the BSI, and the certificate is also issued by the BSI. In any case, it is worth comparing the hourly rates and other conditions of different ISMS certification bodies. An easy way to obtain comparative quotes from several providers for this purpose is to submit a free request via the online marketplace testxchange.