Nowadays, information security is essential for organizations of all types and sizes. Confidentiality, integrity, and availability of information have become strategic success factors when it comes to the trust of customers, business partners, and the public.
The management of these areas is part of the daily routine of every SME, with IT and security-related problems also firmly on the agenda. These problems range from forgotten passwords to cyberattacks. We explain how to take a systematic approach to them and show you where a certification according to the information security standard ISO/IEC 27001 comes into play.
In this short article, you can find out exactly what this certification entails and what advantages it can offer you.
What Is an ISO 27001 Certification?
ISO/IEC 27001:2013 is the globally applied standard for the certification of information security management systems. The goal is to protect the information based on an analysis of the business risks regarding confidentiality, integrity, and availability.
However, ISO/IEC 27001:2013 does not cover concrete business processes but rather the measures to ensure information security.
What Does This Mean In Regard To Dinotronic And What Are the Advantages For Our Customers?
Organizations that have successfully implemented ISO/IEC 27001 benefit from:
- Optimal use of resources to protect information.
- Clearly identified business risks and security requirements
- Reduced liability risks for the board of directors and the executive committee
- Control of top risks
- Guaranteed availability and integrity of information
- Building trust with customers and business partners
- Sustainable protection of the company value
- Security awareness among all employees
There Is an Annual Audit To Maintain ISO Certifications: What Is Audited And By Whom?
The certification is mapped as a three-year process. Within these three years, we have to prove the effectiveness of our information security management system (ISMS) using predefined controls, internal and external audits, and a management review. Deviations from defined controls are recorded in writing and must be addressed within a defined period during the review year. After three years, recertification takes place, where not only the effectiveness of subsystems is examined in detail, but the entire system is audited again.
The ISMS combines organizational and technical measures that enables systematic detection of information security related issues.
The audit is carried out internally by various self-appointed auditors and externally – by representatives of the Swiss Safety Center. (https://www.safetycenter.ch/zertifizierung/systeme-produkte/normen-standards/iso-27001).
The following image explains our process based on the last three years:
Our Conclusion
Dinotronic AG made a significant step forward in professionalizing information security in the last three years. However, many issues were solved informally and heavily depended on individuals. The ISO certification, together with the resulting ISMS, allows us to share the workload and to implement measures in general.
For us, the big challenge has always been to balance the sustainability of the measures with the organization's many specifications. That meant that we didn't simply adopt some standardized set of measures but were able to face these challenges with the potential of a medium-sized company.