Nowadays, information security is essential for organizations of all types and sizes. Confidentiality, integrity, and availability of information have become strategic success factors when it comes to the trust of customers, business partners, and the public.
The management of these areas is part of the daily routine of every SME, with IT and security-related problems also firmly on the agenda. These problems range from forgotten passwords to cyberattacks. We explain how to take a systematic approach to them and show you where a certification according to the information security standard ISO/IEC 27001 comes into play.
In this short article, you can find out exactly what this certification entails and what advantages it can offer you.
ISO/IEC 27001:2013 is the globally applied standard for the certification of information security management systems. The goal is to protect the information based on an analysis of the business risks regarding confidentiality, integrity, and availability.
However, ISO/IEC 27001:2013 does not cover concrete business processes but rather the measures to ensure information security.
Organizations that have successfully implemented ISO/IEC 27001 benefit from:
The certification is mapped as a three-year process. Within these three years, we have to prove the effectiveness of our information security management system (ISMS) using predefined controls, internal and external audits, and a management review. Deviations from defined controls are recorded in writing and must be addressed within a defined period during the review year. After three years, recertification takes place, where not only the effectiveness of subsystems is examined in detail, but the entire system is audited again.
The ISMS combines organizational and technical measures that enables systematic detection of information security related issues.
The audit is carried out internally by various self-appointed auditors and externally – by representatives of the Swiss Safety Center. (https://www.safetycenter.ch/zertifizierung/systeme-produkte/normen-standards/iso-27001).
The following image explains our process based on the last three years:
Dinotronic AG made a significant step forward in professionalizing information security in the last three years. However, many issues were solved informally and heavily depended on individuals. The ISO certification, together with the resulting ISMS, allows us to share the workload and to implement measures in general.
For us, the big challenge has always been to balance the sustainability of the measures with the organization's many specifications. That meant that we didn't simply adopt some standardized set of measures but were able to face these challenges with the potential of a medium-sized company.