Information security management - turning good intentions into added value
As the significance of IT to company transactions or to fulfilling public tasks continues to grow, there is an increasing need, and sometimes a requirement established in compliance provisions, to protect technical and IT resources against prohibited or inappropriate use or misuse, loss, divulgence, destruction or manipulation. Information security is therefore seen more and more as an integral component in companies’ business policies or in the fulfilment of tasks in offices operating under public law.
To ensure that information security is more than a good intention, numerous processes and activities associated with the risks with which businesses, authorities and other institutions are confronted must be identified and managed. Setting up an information security management system is a proven way of doing this. This is used to initiate, execute, monitor, check and, above all, improve information security measures. Such a management system can even make
information security measurable and comparable at a later stage of maturity.
Standards such as ISO/IEC 27001:2013 at the international level and ISO 27001 based on the BSI’s basic principles for IT protection at the national level are a good foundation for setting up and operating an information security system. In a pragmatic approach, dependence on one of the standards can result in a suitable and effective format. If necessary, e.g. because of customer or supplier requirements, you also have the option of having your company, authority or institution certified in accordance with these standards. In this way you can prove that your information security management system is functioning properly.