Munich - Companies deal with confidential data as part of their daily routine, so that a high level of information security is a must. However, achieving this high level of security is only partly down to technical measures; the necessary management processes involved are frequently underestimated. The ISO 27001 management system standard provides a useful basis for a well-balanced information security system. TÜV SÜD’s experts are familiar with the implementation of such systems and the critical success factors they involve.
“Information security is based on three fundamental values – availability, confidentiality and integrity”, explains Alexander Häußler, ISO 27001 Product Manager at TÜV SÜD. “Availability means that the information must always be available whenever it is needed. Confidentiality involves protecting information from unauthorised disclosure, while integrity ensures that the information is complete and unchanged.”
To ensure information security, appropriate measures must be identified, assessed and implemented. However, the process also involves responsibility on the part of management teams, comprehensive surveillance and documentation, employee training sessions and clearly defined communication paths, internal audits and continuous improvement processes. Five steps are necessary in the implementation of an information security management system: definition of the scope and information security policy; identification of relevant information assets and the risks associated with them; and implementation of the necessary security measures.
Key criteria for success include a thorough understanding of risk assessment and risk management, a realistic budget for activities and measures, and an appropriate awareness of problems. Information security should not focus solely on technical aspects, but should also take in the individuals involved – because technical measures can only be effective when employees are correctly trained in taking responsible action.