Corporate Information Security: Definition, actions & objectives, ISMS, CISO, ISO/IEC 27001, TISAX …

Lena Vierus
Corporate Information Security ISEGRIM X

Content

What is Information Security?

Besides your employees, information is the most valuable asset of your company. Therefore, the protection and confidential handling of information is essential for business success – regardless of company size and industry. Especially under the current circumstances of a potential cyber war, companies and organizations realize that they urgently need to become active and to strive for better information security.

In this article, you will learn why you should be concerned with the topic of information security, what goals and actions might be important for you, and how you can best proceed to ensure or optimize your corporate information security.

Definition of Information Security

Information security aims to ensure three overriding objectives. These are the …
1. Confidentiality of Information
2. Integrity of Information
3. Availability of Information

Since information is stored, processed and transmitted with the help of both technical and non-technical systems and processes, the properties of these systems and processes can be seen as a central aspect of information security. With the help of suitable measures, these systems and processes are continuously optimized and reviewed regarding information security objectives.

The intention is to protect sensitive corporate information against threats, to avoid economic damage and to minimize risks. Thus, only authorized users should be granted access to data, while it should be protected from unauthorized and uncontrolled access.

Information in the context of technical and non-technical systems and processes

Technical mechanisms usually mean the entire ITC infrastructure (information and telecommunications technology). The non-technical systems include, for example, rooms with confidential data material (such as the HR department or other paper archives), the company site, or the handling of information in the minds and conversations of company members.

Both types are equally relevant for information security. To ensure an appropriate level of security, it is necessary for all areas in the company to contribute.

Information Security Guideline

In Germany, corporate information security is usually guided by two standards:

  1. the IT Basic Law of the Federal Office for Information Security 
  2. and by the ISO/IEC 27001 standard

In the context of growing digitization and its dangers, both standards are more important than ever before. Among other things, both guidelines are used for the implementation and sustainable establishment of an information security management system (ISMS), thereby achieving effective information security management (more on this later in this article).

We explain to you where the differences lie between the IT Basic Law and the ISO/IEC 27001 standard.

The IT Basic Law

The IT Basic Law is a catalog of measures developed by the German Federal Office for Information Security. It should help companies identify and implement protective measures for their company’s IT. The catalog of measures provides guidance, requirements, measures and hazards and is focuses much more on the are of IT than the ISO/IEC 27001 standard does. It is especially suitable for companies and critical infrastructures that work with highly sensitive data.

However, the IT Basic Law only applies on a national level. If you want to obtain an internationally approved certification of your information security, ISO/IEC 27001 certification might be the better option.

The ISO/IEC 27001 Standard

With a certification according to ISO/IEC 27001 – which is currently the “state of the art” in an international context – a company can prove that it proactively protects itself against information security threats and that it meets information security standards. The ISO/IEC 27001 standard is especially suitable for SMEs, as it is easily scalable and adaptable to the size and performance of companies.

ISO/IEC 27001 is also compatible with other approved management system standards and can thus be used for integration into existing management systems and processes, e.g. ISO 9001, ISO 14001 or ISO 50001.

IT Basic Law

  • National Standard of the German Federal Office for Information Security
  • It is applicable for all companies and institutions, but especially for governmental institutions, IT service providers and CRITIS companies
  • Suitable for companies and institutions that work with highly sensitive data

ISO/IEC 27001 Standard

  • International Standard
  • Applicable for all companies, because it is easily scalable and adaptable to company size and industry
  • Worldwide accepted for all requirements of protection

This might also interest you:

TISAX® certification will be on the to-do list of many automotive suppliers and service providers by 2023, if not before. The TISAX® label demonstrates to automotive manufacturers that a company attaches importance to a high level of information security and that its level of security complies with the TISAX® requirements. 

See TISAX® article

Protective Goals of Information Security

The objectives of information security include the assurance of…

  • Confidentiality of Information
  • Integrity of Information 
  • Availability of Information

“C.I.A. Triad” is often used as an abbreviation of the protection goals. But be careful, this abbreviation has nothing to do with the US secret service.

Confidentiality

To ensure the confidentiality of information, only authorized users should have access to information. Only they are allowed to view, process or edit it. It must therefore be precisely defined who should and may have access to which data. Unauthorized access or unauthorized processing by third parties must be prevented at all costs.

Integrity

Integrity requires the accuracy and completeness of information and its processing methods. Unnoticed changes to information should be prevented, or the changes that were made must be traceable. These requirements also have to be met during data transmission.

Availability

Availability includes, on the one hand, ensuring that access to information can be guaranteed at all times when needed and, on the other hand, preventing or at least minimizing possible system failures. Above all, the essential business processes must be protected against failures. The best approach here is to conduct a risk analysis and run through scenarios to determine the probability of a failure, how long the downtime would be, and what the potential damage would be.

Regularly tested data backups can ensure availability even in the emergency situation of a failure. These backups must be stored in a particularly “fail-safe” location that is fire- and waterproof, for example.

Further protective goals of Information Security

In addition to the 3 basic protection goals, there are further goals such as …

  • the reliability of information,
  • the authenticity of information,
  • as well as the clear assignment options for information.

A particular protection goal in terms of the General Data Protection Regulation (GDPR) is resilience (or resistance) to spying, accidental or deliberate interference, or intentional damage (sabotage).

But what concrete actions do exist to ensure that all these goals can be achieved?

Measures and actions for better Information Security

In order to achieve the protective obejctives of information security and also to maintain them in the long term, various actions must be pursued. These technical and organizational (non-technical) measures can be understood as part of a fully integrated security concept that a company must develop and then implement. The management itself is typically responsible for this process, but can delegate the various information security tasks to specific units.

  • Technical measures would be:
    • Physical protection of data and IT components
    • Application of encryption methods, virus software, firewalls, redundancy mechanisms, authentication methods & backup procedures
    • Implementation of software updates
    • Implementing an Information Security Management System (ISMS)
  • Organisational meaures would be:
    • Employee Trainings
    • Carrying out awareness campaigns
    • Establishing guidelines for the documentation and handling of passworts

The focus is on the implementation of an information security management system (ISMS). An ISMS can be seen as a core component that can serve as a methodological basis for other security procedures and standards.

Informations Security Management System (ISMS)

Definition of ISMS

Information security requires an ongoing management process, and an ISMS makes this possible.

The certification according to ISO/IEC 27001 provides objective proof that you implemented an ISMS – also to your business partners. This has been proven to be quite beneficial for many companies.

Certification according to ISO/IEC 27001

  • The ISO/IEC 27001 standard is by now the best-known approved standard for information security management systems. The standard defines the requirements for the implementation, operation, monitoring, maintenance and continuous improvement of a documented ISMS. It is validated internationally and across all industries!

In addition to the general guidelines, ISO/IEC 27001 also addresses individual factors and risks within companies. The standard guides organizations in developing a culture and goals for the management of information security.

Information form a large part of the company and thus have a significant influence on its success. It is an intangible corporate asset.

Advantages of an ISO 27001 certified ISMS

  • Confidentiality: Information is only accessible to those who are authorized to access it.
  • Availability: Access to information and related assets is guaranteed when needed.
  • Integrity: Accuracy and completeness of your information and processing methods are guaranteed.
  • Objective proof of security: All necessary requirements have been demonstrably met and were certified by an independent auditor.
  • Competitive advantage: Customers and partners increasingly demand proven / certified information security.
  • Future viability: Securing future business capability.
  • Protection from risks: Such as fraud, misuse, data loss and hacker attacks.
  • Increased awareness: Corporate values and risks are known among all employees and along the entire value chain.

It is important that you strive for continuous security – information security is not rigid! Self-monitoring and continuous improvements create permanent security that adapts to current requirements. A good example are the increasingly frequent hacker attacks, which originate from the Russia-Ukraine conflict.

There are specific jobs that pursue the goals of information security, inclu. physical security, data protection and IT security in companies.

Job profiles in IT and Information Security

The Chief Information Security Officer (CISO) – or just Information Security Officer (ISO) – is distinct from the Chief Information Officer (CIO) and the Chief Security Officer (CSO).

Definitions and differences

A CIO develops the company’s global IT strategy and ensures that all the systems needed to run business are working. He manages that goals are met and that the most value possible is added to the business.

  • Establishing goals and strategies for the IT department
  • Selecting and implementing appropriate technologies to streamline all internal operations and optimize their strategic value
  • Planning and adapting technological systems and platforms to improve the customer experience
  • Leading and developing the team in the IT department

The CSO is responsible for corporate security. His main task is to ensure physical and technological stability. This includes the security of data, intellectual property, physical assets and the protection of employees.

  • Leading the company’s risk control activities
  • Managing and executing security protocols, specifications, policies, and procedures
  • Overseeing the network of security managers and contractors to secure the company’s intellectual property and database infrastructure
  • Coordinating external contractors to conduct impartial compliance audits
  • Maintaining relationships with local, state, and federal law enforcement agencies and all relevant governmental entities
  • Investigating, overseeing, and responding to security incidents

The main task of a CISO / ISO is to track and assess the potential threats to which a company is exposed. He thus organizes, develops and monitors all concrete information security activities within the organization.

  • Protecting and maintaining information and data security
  • Threat and compliance management
  • Disaster recovery and business continuity maintenance
  • Identity and access management
  • Security architecture
  • Information management regulation for financial systems
  • Cyber Security

Is an ISO mandatory? Who can become an ISO?

In the context of digitization, the role of the information security officer / CISO has gained immense importance. However, there is no legal obligation for companies to designate an ISO. The exception to this are companies or institutions that are so-called critical infrastructutres.

“Critical infrastructures (CRITIS) are organizations or facilities of critical importance to the governmental community, the failure or impairment of which would result in sustained supply shortages, significant disruptions to public safety, or other dramatic consequences.”  KRITIS definition of the federal departments

When an ISO is to be designated, some companies aim for an internal employee to take on this position. However, it is very important that there is no conflict of interest, which is why neither a member of the management nor the head of the IT department can take on the role of the ISO. Therefore, the choice of an external ISO is often a good solution.

Summary: Relevance of Information Security

With advancing digitization, opportunities are growing just as much as potential dangers. Information security should be given a high priority – especially in the economic environment, because business success depends on the security of your information.

With appropriate actions, companies can actively protect themselves against threats, minimize risks and avoid economic damage. Particularly worth mentioning here is the implementation of an ISO/IEC 27001 certified information security management system (ISMS).

In addition, companies that fail to comply with the legal requirements of the GDPR or IT Basic Law may even face heavy penalties. A proactive investment in your information security makes sense in any case. Not only to protect yourself, but also to raise awareness of your employees, customers, business partners and suppliers.

IX Employee Trainings

We sensitize and train your employees in an understandable way in all areas of information security – in presence or online.

ISEGRIM X® training courses are successful because …

  • ... we create awareness of the problem among your employees and change their behavior in dealing with information.
  • ... because we don't see your employees as a security gap, but as a defensive shield against information security attacks.
  • ... we motivate your employees for more information security and
  • ... we conduct our trainings in an easy-to-understand manner and with practical examples.
Get in touch now
or book an appointment

Definition of the technical terms

IT security, data protection and information security are often used synonymously. However, there are crucial differences, which is why the terms should not be used as synonyms.

IT security can be understood as a partial aspect of information security. The term IT security means protection of data and information that is stored and processed electronically – i.e., in IT systems.

While IT security refers to the protection of technical systems, information security is all about protecting information in general. This is because information can exist not only in technical systems, but also in a paper archives or in the heads of employees. It also includes securing the company grounds.

Information security is thus somewhat more extensive than IT security and therefore appears more frequently in linguistic usage.

Data protection means the protection of personal data. This includes, for example, name, address, telephone number, social security number, etc. All data that can be directly related to a person.

Data protection is not about the content of the data itself, but about the right to process this information. With the introduction of the GDPR 2018, the legal requirements for the European area were created and significantly tightened. The GDPR regulates the legal conditions under which personal data may be collected, processed or used. The aim is to protect the privacy of each individual by creating the possibility for informational self-determination.

Just like IT security, data protection is also a subarea of information security.