Information security management: The modular system for protection of sensitive data
All advantages for your information security management system at a glance
Competent and individual: With many years of experience, our IT security consultants, certified auditors and auditors support you in achieving your specific security goals.
Our "secuCheck" enables you to take the first, effortless step towards gaining a comprehensive overview of the current status of information security and supports you in taking further action.
Even if you already operate an ISMS based on earlier IT-Grundschutz catalogs, we will support you in migrating to the new BSI building block model
We enable certification according to ISO 27001 on the basis of IT-Grundschutz. With this recognized certificate, you can prove a functioning ISMS and thus have one of the most valuable security seals in Germany.
An ISMS can only function if employees are appropriately sensitized to information security. For this purpose, we also conduct trainings as well as events for your selected target groups.
ISMS according to IT-Grundschutz (IT baseline protection) of the BSI
Nowadays, data is processed electronically in almost every organization. Sensitive information in particular requires special protection. Legal requirements, for example in the handling of personnel data, or compliance requirements must often be observed.
That is why a reliable and permanently functioning ISMS is increasingly becoming an important success factor. It is not just valuable government and corporate data that is at stake: Citizens, customers, partners, suppliers and government bodies also demand optimal data protection and early risk detection through security concepts. The German Federal Office for Information Security (BSI) developed the IT-Grundschutz for this purpose.
That is why a reliable and permanently functioning ISMS is increasingly becoming an important success factor. This is not only about valuable public authority and company data: Citizens, customers, partners, suppliers and government bodies also demand optimal data protection and early risk detection through security concepts. The Federal Office for Information Security (BSI) has developed the IT-Grundschutz for this purpose.
IT-Grundschutz makes it possible to identify and implement necessary security measures through a systematic approach. At the same time, it remains flexible due to its modular system and can be individually adapted to each organisation.
BSI's IT-Grundschutz is compatible with the ISO 27001 standard and is therefore also enjoys an international reputation.
We support you in every phase of the set-up process - for example:
- Selection and delimitation of the IT network
- Determination of the need for protection
- Risk analysis
- Definition of measures
It is important to us to specifically determine the needs of your organisation in order to achieve an optimal and cost-efficient solution through the security concept. Therefore, we use our many years of experience to support you in achieving your individual security goals.
ISMS according to ISO 27001
Information Security Management according to ISO/IEC 27001:2013
In every company or organization, there is information that must be protected against misuse, loss, disclosure, destruction and manipulation. In addition to personal data, this also includes business and trade secrets. The confidentiality, availability and integrity of this information is also of particular importance in the interests of customers, business partners and employees.
For more and more companies and organizations, information security has therefore become an integral part of business policy and an indispensable success factor.
The international standard ISO/IEC 27001:2013
In order to initiate, implement, monitor, review and, above all, improve information security measures, establishing an information security management system (ISMS) based on the international standard ISO/IEC 27001:2013 is a proven option. This management system can be operated together with already existing management systems, e.g. according to ISO 14001, ISO 9001 or ISO/IEC 20000, and make information security measurable and comparable in a later expansion stage.
With us as your partner: Go from being driven to being driven
For us, it is irrelevant whether your company or organization "only" wants to follow the ISO/IEC 27001:2013 standard or whether you are aiming for corporate certification and thus strict application of the standard: We offer solutions tailored to your needs that provide you with a foundation for actively managing information security risks.
Our basic analysis of information security, for example, provides you with an inventory of the current level of security. Guided interviews are used to examine the topics of organization, risk management, emergency management, employee awareness, physical security, IT service management, IT security and compliance.
The evaluation takes the form of a report using graphs and includes suggested measures for improving your security level.
In order to uncover technical weaknesses in addition to organizational improvement potential, our basic information security analysis can be combined with a technical security analysis (penetration test).
Information security check
With our information security check according to ISO/IEC 27001:2013, we offer customers who are seeking or already have corporate certification according to this standard both an evaluation of their information security management system (ISMS) and a review of the implementation of the action objectives and measures from Annex A. We take a modular approach so that we can identify potential for organizational improvement as well as technical vulnerabilities (penetration test). We take a modular approach so that we can offer you both parts of the information security check independently of each other and also individually if required.
Details on beneficial aspects of the ISMS
Anyone who has the task of advancing their own institution's information security often faces the challenge of taking the first step. That's why secunet has developed the "secuCheck" based on the BSI's IS short audit. This enables you to take the first, effortless step of gaining a comprehensive overview of the current status of information security and supports you in proceeding further.
Many ministries and subordinate authorities have already entered the subject of ISMS together with us. The standardized methodology is based on a uniform catalog of questions based on the requirements of IT-Grundschutz. The status of information security is assessed in two days in the form of interviews and site inspections. Audit topics can be expanded, adapted or deepened to meet your specific requirements.
No special prerequisites are necessary for the short revision - a security concept or a fully implemented security management system do not yet have to be in place. According to the BSI building block model (formerly layer model), all areas of your organization are considered.
Due to the high standardization of the contents and the process, results can be compared in repeated audits. In a final audit report, we not only present the safety deficiencies, but also already provide recommendations for measures that can be implemented quickly and effectively.
When the ISMS has reached an advanced level of maturity, you can continue to strive for certification in accordance with the ISO 27001 standard based on IT baseline protection. With this recognized certificate, you can demonstrate a functioning ISMS and thus have one of the most valuable security seals in Germany. In this way, you show citizens, customers and business partners that you attach great importance to IT security. You benefit from a sustainable, high level of security that protects against current threats and minimizes the resulting risks.
Our experienced consultants, accredited auditors and auditors will support you in preparing for certification - if desired, also during the audit itself. If you are not sure whether you meet all the requirements for certification, we will check them as part of an internal pre-audit. This way you are successfully prepared for the actual certification. If you do not need an ISO 27001 certificate based on IT baseline protection in the first step, we also offer audits to acquire "beginner" certificates with a one or two-year term.
ISO 27001 certifications based on IT baseline protection have a term of up to three years. After that, re-certification takes place. To ensure that you continue to be certified, we support you during the annual surveillance audits. For this purpose, we accompany you at an early stage in the planning and handling of changes in the certification network and support you in eliminating identified deficiencies.
In the fall of 2017, the BSI fundamentally modernized IT baseline protection. The previous IT baseline protection catalogs were converted to the new IT baseline protection compendium. The changes have been mandatory for certifications since September 2018. To ensure that your ISMS continues to be based on the latest standards, we provide comprehensive support for migration to the new building block model.
We also advise and support you in transferring the data from GSTOOL, the old database application for creating security concepts according to IT baseline protection, to the HiScout application. In addition, we offer training and support during the introduction of HiScout.
An ISMS can only function if employees are appropriately trained or sensitized to the topic of information security. To this end, we also conduct training courses and events for your selected target groups - whether for new or all employees, managers, administrators or IT specialists. In addition, we offer the conception and implementation of further awareness measures: Our tools range from awareness flyers and concepts to creative topic immersion and live hacking shows.
Security concepts are an essential basis for defining, prioritizing and implementing security requirements for systems or processes. Thus, they are a crucial part of an ISMS. Not only IT-based values are considered: A security concept sets security goals for an environment, which are derived from the risks and the protection needs of the information. We then develop appropriate measures to achieve these goals. A security concept can also cover only parts of the IT infrastructure.
We support you both in the creation of generalized security concepts for your entire IT landscape and in the development of system- or application-specific detailed concepts. The basis for this is the IT baseline protection methodology of the BSI.
Send us an inquiry via the contact form. We will be happy to help.