Security is not a product – Security is a constant process!
The security in a company is always only a snap-shot. During the daily routine a company is evolving and so the security does!
The threat potentials, the trends and, if nothing else, the user requirements are constantly changing. The entire chain of requirements and deliveries and monitoring of the risks within the security environment is a continuous process which shall be traced consequently and without any interruption.
Some examples for potential origins of danger because of an insufficient information security management in a company::
- Missing unified guidelines or insufficient definition and communication of the security policy
- Lacking methodology and inadequate experience for an IT risk analysis and security management
- Incomplete business continuity management and processes within the security and risk management which do not seamlessly fit
- Inadequate cooperation of the various security authorities in a company (company security, revision, data protection, IT security)
- Sole focus on technological IT security solutions instead of integration of all concerned entities
- Missing training and awareness of the company staff
We accompany you from the first steps to plan an information security management systems, via the analysis, the concept, the introduction until the audit or, if requested, until the certification. Together with a professional project management it is for us very important to draw your attention to the ‚critical success factors’ in information security projects.
If you want to establish a working information security management system in your company, it is very important to lay the foundations in the company:
- the management must strongly and fully back the security strategy, support its implementation and actively live it
- the personnel resources are well-planned and available
- the budget is planned and available
- the stakeholders roles are clearly defined
- the information and awareness training ensures the acceptance by the company staff
With the introduction of an ISMS (Information Security Management System) in accordance with an international standard such as the DIN EN ISO/IEC 27001 norm you contribute with a decisive and documentable initiative to secure the core business of your company. The company values are integrally secured and the related IT risks are minimized.
Our specialists support you during the quick and effective implementation of the security and risk management targets in the company.
From the planning of your project, the requirements of the current operations, in emergency cases up to all further requirements with regard to:
- IT Governance,
- Information Security,
- IT Risk Management,
- Business Continuity Management
- Document Management
Click here for more information about the introduction of an ISMS:
More and more companies identify the value and quality of an information security process which is based on neutrally monitored and certified and integrally viewed international standards.
To establish an ISMS you need a
- traceable and
- revisable approach
For the implementation of an ISMS the WMC company recommends the approach based on international standards such as the DIN EN ISO/IEC 27001 norm. The P-D-C-A model of approach described therein (Plan – Do – Check – Act – Methodology) guarantees a TOP LEVEL SECURITY CULTURE.
The company must extensively examine the legal prerequisite, trade-specific requirements, classical risks with regard to the business success and consequently the IT risks. The entire information security process including the IT risk management, the measures and document management must be pursued without any gaps.
Within the control clauses of the DIN EN ISO/IEC 27001 norm the standard describes the subprojects of an ISMS implementation.
The following table drafts the method to implement an ISMS:
Create fundamentals and guidelines (Security Policy)
- To get a management board decision on a consistent security policy
- To nominate a security officer on manager’s board level
- To introduce fundamentals and guidelines
- To execute self-assessments
- To implement an ISMS organisation
- To check and asses the infrastructure (Vulnerability Assessment)
- To assign and assess resources and processes
- To execute other trade-specific assessments (such as the DIN EN ISO/IEC 13485 norm)
Execute a Risk Management
- To judge the processes according to their ‚business criticality’
- To create a business blueprint of the systems landscape
- To create an inventory of the asset values for a reference number system
- To analyse the threat and vulnerabilities of the systems landscape
- To assess the possible risks
- To create a risk encounter plan
Encounter the Risks
- To accept or transfer the risks
- To execute immediate security measures
- To align the BCM to cope with operations risks
Apply Measures Management
- To schedule and launch necessary projects
- To check the launched measures
- To secure all aspects with an established emergency management
Once these phases have been applied for the first time (Plan/Do), the measures will be continuously examined (Check), the changes are identified and the ISMS will be adapted (Act). During the entire cycle all staff members are effectively and repeatedly sensitized and the ISMS will be further developed according to the strategic orientation of the company.
For many years the WMC Consulting company has been consulting customers in these industrial sectors within the analysis, conceptual design, introduction, optimization and implementation of an integrated information security, IT risk management and IT lifecycle management.
With the QSEC-Suite our customers, if requested, can get a market-leading product to implement and operate an information security management system (ISMS) in accordance with the DIN EN ISO/IEC 27001. This solution is a future-oriented tool to have a pragmatic implementation of an ISMS ‚Best Practice’ and to permanently save resources and costs.