What can I understand by ISO 27001

ISO 27001 - Information Security Questions and Answers

What is information security?

The answer to this question is simple in terms of the international family of standards for information security ISO / IEC 2700x:

"Information is data that is of value to the company."

ISO / IEC 27000: Information technology - Security practices - Information security management systems - Overview and terminology

This makes them an economic asset which should not fall into the hands of unauthorized persons and which requires appropriate protection.

Information security is everything that has to do with protecting the company's information assets. The decisive factor here is to be aware of the risks existing in the context of the company or to uncover them and counter them with appropriate, needs-based measures.

"Information security is not IT security."

IT security only relates to the security of the technology used and not to the corporate values ​​to be protected. Organizational issues such as access authorizations, responsibilities or approval procedures as well as psychological aspects also play an important role in information security. However, secure IT also protects information in the company.

What are the protection goals of information security?

According to the international standard IS0 27001, the protection goals for information security include three main aspects:

  • Confidentiality - Protection of confidential information from unauthorized access, be it for data protection reasons or due to trade secrets that are covered by the Trade Secrets Act fall. It is the level of confidentiality that is relevant here.
  • Integrity - minimizing all risks, ensuring the completeness and reliability of all data and information.
  • Availability - ensuring access and usability for authorized access to information, buildings and systems. It is essential for maintaining processes.

Exciting topic? Nowlearn more about ISO 27001.

Central questions about information security

  • What are my company's values?
  • Which corporate values ​​need to be protected?
  • What attacks are corporate values ​​exposed to?
  • Who is interested in protecting this information?
  • What are appropriate measures?

Valuable knowledge: free audit guide

Our audit guide ISO 27001 - Appendix A was created by leading experts as a practical implementation aid and is ideally suited to better understand selected standard requirements.

Free download

What is an information security management system?

An information security management system (ISMS) according to DIN ISO / IEC 27001 defines guidelines, rules and methods to ensure the security of sensitive information in a company. It provides a model for the introduction, implementation, monitoring and improvement of the level of protection - in accordance with the systematic approach of ISO 9001 known PDCA cycle (Plan-Do-Check-Act). The aim is to identify and analyze possible risks for the company and to make them manageable by means of suitable measures.

Why is an ISMS important?

Successful companies use the structure and transparency of modern management systems to uncover threats and to control the use of modern security systems in a targeted manner. The focus of an information security management system is the security of your own information assets, such as intellectual property, financial and personal data, as well as information that has been entrusted to you by customers or third parties.

"Information security always means protecting important information or data of value."

The risks to which sensitive data is exposed are manifold. They can arise from physical, human and technical security threats. But only a holistic, preventive management system approach of an ISMS can do justice to the entire spectrum of risks and secure the business continuity of a company.

For which company does ISO 27001 make sense?

The answer to the question for which company ISO 27001 makes sense is: for everyone! In principle, the standard can be used in all companies, regardless of their type, size and industry. All organizations benefit from the advantages of a structured management system. The implementation of the ISMS is influenced by the following factors:

  • the requirements and corporate goals
  • the need for security
  • the business processes used
  • the company size and structure

What are the advantages of an ISMS?

An important question about ISO 27001! The standard formulates the requirements for the systematic structure and implementation of a process-oriented management system for information security. With this holistic approach, companies achieve decisive advantages:

  • the security of sensitive information becomes an integral part of corporate processes
  • preventive safeguarding of the protection goals of confidentiality, availability and integrity of information
  • Maintaining business continuity by continuously improving the level of security
  • Sensitization of employees and a much stronger security awareness at all company levels
  • Establishing an effective risk management process
  • Building trust towards interested parties (e.g. in the case of tenders) through demonstrably secure handling of sensitive information
  • Compliance with relevant compliance requirements, more operational and legal certainty

How can possible risks be handled?

Security risks can arise from material, human and technical threats. In order to achieve a comprehensible and appropriate level of security in the company, a defined risk management process or a corresponding method for risk assessment, treatment and monitoring is required. ISO / IEC 27005 provides good guidance on information security risk management.

What is the role of the human being?

Humans are also a risk factor: The handling of sensitive information affects all employees and partners of a company without exception. They also pose an increased security risk, be it through human error or ignorance. But only very few companies regulate who is allowed access to which information and how it is to be dealt with.

"The new source of power is no longer money in the hands of a few, but information in the hands of many."

John Naisbitt, * 1929, American Futurologist

Binding regulations and a pronounced awareness of all information security issues are therefore a basic requirement. The adaptation of the company policy and the development of a suitable information security policy are considered essential here. The necessary sensitization of employees at all (management) levels is a top priority and can take place, for example, through training courses, workshops or personal discussions.

ISO 27001 Introductory Questions

The question of whether a company must have already introduced a management system, e.g. according to ISO 9001, can be answered clearly with "no". Like all management system standards, DIN ISO 27001 stands for itself. This means that a company can set up and implement an ISMS at any time and independently of existing structures. Nevertheless: Companies that have a quality management system in accordance with ISO 9001 have already created a good basis for a step-by-step introduction to comprehensive information security.

However, the structure and approach of ISO 27001 is based on the binding basic structure for all process-oriented management system standards, the high level structure. This enables you to easily integrate an information security management system into an existing management system. A joint certification according to ISO 27001 is also included ISO 20000-1 (IT Service Management) or ISO 22301 (Business Continuity Management) possible by DQS.

Which documents can help with the introduction?

The preferred basis for the introduction of a holistic management system for information security (ISMS) is the international family of standards ISO / IEC 2700x. It is intended to support companies of all types and sizes in implementing and operating an ISMS. Important components of the standard series are

  • DIN EN ISO / IEC 27000: 2020-06: Information technology - Security procedures - Information security management systems - Overview and terminology
  • DIN EN ISO / IEC 27001: 2017-06: Information technology - Security procedures - Information security management systems - Requirements
  • DIN EN ISO / IEC 27002: 2017-06: Information technology - Security procedures - Guidelines for information security measures
  • ISO / IEC 27003: 2017-03: Information technology - Security techniques - Information security management systems - Guidance
  • ISO / IEC 27004-18: Information security management - Monitoring, measurement, analysis and evaluation
  • ISO / IEC 27005: 2018-07: Information technology - Security techniques - Information security risk management

The series of standards is available from Beuth Verlag.

ISO 27001 -Questions about the IT security officer?

Does ISO 27001 require an IT security officer? The answer is "yes": One of the tasks within the ISMS is the appointment of an IT security officer by top management. The IT security officer is the contact person for all IT security questions. It should be integrated into the ISMS process and closely interlinked with the IT managers in tasks such as the selection of new IT components and applications.

Why ISO 27001 Certification?

Certification on the basis of an accredited procedure is proof that a management system and measures have been implemented to systematically protect the information assets of a company. With the certificate you show "in black and white" that you have successfully built this system and are committed to its continuous improvement. The globally valued DQS certificate is the visible expression of a neutral assessment and strengthens trust in your company. This is a market advantage and offers a good basis for tenders and security-critical customer transactions, such as with financial service providers.

Webinar recording

ISO 27001: information yes - but sure!

✓ Requirements of ISO 27001
✓ Integration into existing management systems
✓ Regulations to be observed

Watch now for free

ISO 27001 - Questions about the certification process

All management systems that are assessed on the basis of international rules (ISO / IEC 17021) by an accredited certifier such as DQS are subject to the same certification procedure.

The initial certification consists of the system analysis (Stage 1) and the system audit (Stage 2), during which the on-site auditors are convinced of the functionality of the overall system and the implementation of all standard requirements. The certificate is valid for 3 years. However, in order to remain valid during the term, it must be verified annually. In the first and second year after the certificate has been issued, the DQS auditors therefore carry out shortened surveillance audits in which, for example, they consider the effectiveness of essential system components or corrective and preventive measures. Recertification takes place after three years.

Companies that already have an existing management system in place should pool their audit programs and strive for joint certification of their integrated management system (IMS).

Is matrix certification possible?

Matrix certification is possible for companies with multiple locations. In principle, the same requirements apply to ISO 27001 as to other ISO regulations such as ISO 9001 or ISO 14001. Integration of ISO 27001 into existing matrix processes, i.e. joint external auditing with the other ISO regulations, can be guaranteed by DQS.

Certification according to ISO 27001

What effort do you have to expect to have your ISMS certified according to ISO 27001? Find out more free of charge and without obligation.

We look forward to talking to you.

What are the advantages of ISO 27001 over ISIS12?

Even small and medium-sized companies as well as public administrations can hardly do without adequate protection of their corporate values. With ISIS12, an information security management system in 12 steps, this need can be met comparatively easily. ISIS12 is a good choice to take your first steps towards information security. Provided that the existing organizational structures as well as the information and data situation are not too complex. Otherwise a full ISMS according to ISO 27001 without any questions will be necessary to ensure sufficient information security.

What are the advantages of ISO 27001 over TISAX?

TISAX® (Trusted Information Security Assessment Exchange) was developed as an industry standard specifically for the automotive industry and tailored to industry-specific needs. The basis for a TISAX® assessment is the test catalog VDA Information Security Assessment (VDA ISA), which is based on the requirements of ISO 27001 or ISO 27002 and extends them to include topics such as prototype protection or data protection.

You can get more valuable knowledge about TISAX® HERE.

The aim of TISAX® is to guarantee comprehensive (information) security for all stages in the supply chain. In addition, the mutual recognition procedure is simplified by registering in a database. However, TISAX® is only recognized in the automotive industry. Customers from other industries may only recognize ISO 27001 as proof of an ISMS.

What can we do for you?

The DQS is your specialist for audits and certifications - for management systems and processes. With the experience of 35 years and the know-how of 2,500 auditors worldwide, we are your competent certification partner and provide answers to all ISO 27001 questions.

We audit according to around 100 recognized standards and regulations as well as company and association-specific standards. We received our accreditation for BS 7799-2, the forerunner of DIN ISO / IEC 27001, in December 2000 as the first German certification body. This expertise is still an expression of our global success story today. Do you have any questions for the author? We look forward to a message from you at: [email protected]