IT Security - Nov 19, 2021

Information Security Management Systems – A key topic.

Information security and IT security – They’re essentially the same thing, right? Think again. Although both terms are often used interchangeably, there is a wealth of difference between them. IT security describes primarily the handling of technical systems, i.e. hardware and software. Information security on the other hand denotes the entire company including staff, processes and even the building’s architecture, which demonstrates quite clearly that information security is a key topic and it affects every single employee. An Information Security Management System (ISMS) can help to keep an overview of these complicated factors and their interplay.

written by

Head of Data Protection and Data Security

E-Mail: frank.peter@bechtle.com

Senior Consultant Data Protection and Data Security

E-Mail: philipp.schuetz@bechtle.com

An ISMS concept includes all kinds of rules, tools, measures and procedures to preserve the security of important corporate information. A report released by the Federal Office for Information Security (BSI) recently showed how important it is to approach this topic holistically and to not take it too lightly. The talk was of several dynamic cyberattacks on companies and organisations from different sectors across the past few months. The most useful method identified was to “use a management system for information security in accordance with IT standard protection”, as this helps to recognise dangers, reduce risks and significantly improve the standard of information security with the right measures.

The current situation is a reason, but not the sole reason, to devote more time and attention to the topic. Several laws passed in the last years have raised the incentive to act. The IT-Sicherheitsgesetz 2.0 (IT Security Law), for example, that was passed in May 2021, drastically increased the requirements for operating critical infrastructure. These include energy and water providers as well as hospitals, who are obliged in the future to run systems for attack detection. In the meantime, providers and customers are getting up to scratch, too. They now expect business partners to close up existing security gaps.

First steps to an ISMS.

None of this pressure should be required, as it’s in the interest of every CEO and manager to protect the heart of their companies—which in most cases means employees and their data.

One way to establish an ISMS and an overview of the situation is to carry out a risk analysis. This will identify the risks and threats that could potentially become a real danger for the company. The next step is to take a closer look for potential weaknesses. At the same time, the current security measures in place should be documented so that they can be integrated into the larger system and, if required, be modernised. An ISMS is not a revolution, it’s an evolution of company-wide information security.

It’s about recognising what is right and making the change. This can be done in a number of ways. To find the right one, you could carry out a survey of your employees, which will reveal their perspective of the risks at hand. Another way of doing it is to carry out a cyber security check, which will offer a simple introduction to checking out the security levels. In addition, audits and certifications can also help detect and plug up loopholes. As a general rule, external consulting, such as that offered by Bechtle, has the great advantage that a neutral body with a lot of experience and an unbiased view from the outside can often identify security gaps that were difficult to identify internally.

War on silos.

Although a lot of companies have established security measures, these in themselves can cause problems. On the one hand, many of these are no longer up-to-date. Access regulations, for example, are often introduced—but over the years are no longer always meticulously maintained everywhere. On the other hand, companies often introduce new security solutions whenever they need them, leading to a silo scenario instead of a holistic interplay of the different systems. To keep all systems connected and reveal loopholes, an ISMS is absolutely necessary. Just like in football, missing coordination where’s it’s needed most can easily lead to an own goal.

So step up your game. An ISMS increases your information security and saves costs by eliminating redundant procedures. This way, employees receive a fixed set of rules that tells them what is universally accepted and what not. And please, don’t leave the responsibility up to your IT department. It’s up to everyone in the company to secure daily business and privacy. However, the primary responsibility for this lies with the management, which determines the guidelines and sets the framework for an ISMS. We’re happy to help you should you require any assistance. Get in touch to find out more about our many services and solutions relating to information IT security: It-security@bechtle.com.

IT security solutions

Share article

Published on Nov 19, 2021.