Security of Information Management

 

 

Information security not only according to ISO/IEC 27 001

We are aware of the value of information and we want to help manage its security effectively.

We need help with the implementation of the information security management system according to ISO/IEC 27 001 and with the preparation for certification according to this standard.

We do not have a suitable employee for the role of an internal auditor according to ISO/IEC 27 001 or it is not worth employing someone for this activity.

ISMS

The documented ISMS (Information Security Management System), or information security management system, is a system that protects selected information assets through the analysis of possible risks and the subsequent implementation of measures that are continuously monitored. It may sound complicated, but this system is suitable for all organizations that work with information systems or information in general in any way. So for everyone. This means that ISMS can be used for both a company with a few employees and a multinational company. Large companies now have this system in place, while small ones often do not place enough emphasis on information security, and they begin to address security only when it is compromised. At the same time, information is often the most valuable asset of a company.

What if I don't want a certificate

There are a number of reasons to complete the process of ISMS implementation in the company in the form of certification - prestige, partner requirements or company policy. However, certification is by no means mandatory. For many companies, the essence of ISMS is important - the awareness that they have assets of a certain value and care about their security. And they do not require confirmation of this fact with a certificate. In many cases, even the information security management system can become more natural and is better and faster adopted in the organization. We are ready to cooperate with you on any project, whether its goal is to obtain certification according to ISO/IEC 27 001 or "just" the implementation of basic rules and procedures of information security.

Implementation of the ISMS system according to ISO / IEC 27 001 with subsequent certification

If you decide to implement an information security management system in order to obtain certification according to ISO / IEC 27 001, we are ready to help you in all phases of implementation and certification. The initial step is a short comparative analysis, then we determine the current readiness of the organization and estimate the complexity of the entire project in your specific case accordingly.

The first phase of the process then consists in mapping the organization's processes. This step is necessary so that we can jointly determine in which parts of the organization the ISMS system will be implemented and certified. In addition, the output from this section is universally applicable for further management of the organization. Very often, they reveal weaknesses in management, which the management of the organization - regardless of the ISMS system - can focus on.

In the second step, the information assets of the organization are mapped. Based on the knowledge of processes and assets, a risk analysis can then be developed. This then serves as an input for a development of certain measures that will minimize those risks.

We will help you prepare all the documentation - both the mandatory one, which is required for successful certification, and the optional one, which will help you apply the principles of ISMS in the practical life of the organization. It is a matter of course to provide training for employees if it proves to be necessary.

In the last phase, we will help you prepare before and also during the certification itself. After successfully obtaining the certificate according to ISO / IEC 27 001, we are ready to help you meet the requirements of continuous improvement, non-compliance management and implementation of corrective measures.


ISMS internal auditor and ISMS manager

These positions are key and mandatory for a certified information security management system according to ISO / IEC 27 001. Our experts have the appropriate qualifications and are constantly educating themselves in the field. We will be happy to offer you their skills and experience for outsourcing these key roles.

Performing a prescribed internal audit by an external auditor brings a number of benefits to the organization. The most important of these is to gain an objective view of the state of the ISMS system in the organization. This is important for the correct and timely adoption of corrective measures to identified nonconformities and to maintain the condition of continuous improvement for the non-certification audit. Secondly, there are cost savings, because only in the largest organizations is it worth to fill the position of ISMS auditor with a regular employee and ensure his continuous training in ISMS problematics.

Did you know that...

Most of the most effective measures to increase information security are of a procedural nature and do not require the purchase of expensive software solutions?

We offer consulting

in all phases of implementation

 

Determining the Scope and Policy

In the first steps, it is necessary to determine the area of the organization to which the ISMS will apply, only the most needed areas can be selected and thus avoid parts of the organization where it is not necessary. This is followed by the definition of a policy, which is a mandatory document and includes objectives, strategy and various types of requirements in the field of ISMS. 

Input Analysis and Risk Analysis

From the initial input analysis it is possible to deduce the current state of information security in the organization, and thus compile a proposal of measures to achieve the necessary goals for the implementation of ISMS. Risk analysis is a necessary part of the proposed measures, thanks to which risks can subsequently be minimized. 

Design of Procedures and Their Implementation

Dalším z nezbytných kroků implementace je vypracování povinných dokumentů jako jsou normy, manuály, směrnice, nebo prohlášení o aplikovatelnosti. Tyto dokumenty slouží pro zavedení normy do praxe a jsou doprovázeny dalšími důležitými úkony, jako je například školení zaměstnanců. 

Monitoring and Improvement

Dle normy je nezbytné monitorovat výkonnost bezpečnosti informací a efektivnost celého systému. Důležitým bodem je i normativní požadavek o neustálém zlepšování, dle kterého organizace musí reagovat na neshody systému a přijmout nová nápravná opatření, aby systém byl neustále efektivní. 

Cyber Security Law

Act No. 181/2017 Coll., On Cyber Security, as amended, aims to improve cooperation between the private and public sectors in the field of cyber security. Its implementing regulations define a number of entities to which this Act imposes obligations that largely comply with the requirements of the ISO / IEC 27 001 standard, on which this regulation is based.

We are ready to provide cooperation and support to the entities affected by the Cyber Security Act in the implementation of the necessary measures, the creation of related documentation and the filling of the roles required by law in the cyber security system.

In particular, outsourcing the role of the Cyber Security Auditor brings the organization the advantage of cost savings, when this role does not have to be filled by a regular employee, at the same time the organization gains independent insight into its cyber security management system.

Case Study

Client: Energetics supplier

Problem: The company's rapid growth has significantly increased the value of information assets and outgrown the capabilities of internal IT management

Our solution:

A former client, for whom we dealt with secure data disposal in the past, turned to us for a consultation in the field of information systems security. Right after the introductory meeting, it was clear that the rapid growth of the family business now being a key player in the market was not followed by corresponding changes in the way IT was managed in general, information security was not addressed at all.

In the first phase, we performed an input analysis for the client to give the company's management a better idea of the current state of the organization. Subsequently, the scope of the project and the implementation period in the horizon of 10 months was proposed and approved. Due to the fact that the client is not heading for certification according to ISO / IEC 27 001, this time is sufficient.

The project was started by mapping the processes of the organization and its assets. The subsequent risk analysis was concluded with a proposal of measures that responded to the identified risks. Although it was not a preparation for certification, the basic documentation for the ISMS and related implementation documents were prepared in agreement with the client.

In the organization, after the end of the project, we perform regular annual audits of the ISMS system and we also provide ongoing training for key employees.

Marián Svetlík

Chief Consultant

Do you need a consultation in the field of information security management?

+420 776 740 482