Best practice approach

Establish an ISMS according to ISO 27001

   Profit from 20+ years of experience

   Pragmatic and efficient

   Helping you to help yourself

 

Talk to our experts

 

500+ customers place their trust in us – from startups to large companies

 

Your goal

Sie wollen ein Information Security Management System (ISMS) nach ISO 27001 einführen, sei es aus Eigeninitiative oder aufgrund konkreter Anforderungen der Zielgruppen.

 

Our service

We will impart the knowledge and accompany you from the start of the project to ISO 27001 certification. With the right setup, templates, tools and a lot of experience.

 

The result

You are no successfully certified and have all the knowledge your Chief Information Security Officer (CISO) needs in order to operate and further optimize your own ISMS.

The steps to your ISMS according to ISO 27001
1. Gap Analysis

Check status quo and define needs

ISO 27001 Gap Analysis

The first step is an ISO 27001 gap analysis. Our ISO 27001 specialists survey and assess - through a mixture of document review and interview sessions with the relevant departments - the status of your current implementation, based on the requirements of ISO 27001.

This ISO 27001 gap analysis gives you and us a clear picture and enables us to realistically estimate the implementation effort, clearly structure the project and define the required work packages.

If you have already performed a gap analysis, we will work with it and not perform it again.

2. Framework

Create the right basis

Establish a framework

Once we have identified the areas of action, we work with you to create the framework and foundation for a functioning ISMS in accordance with ISO 27001:

  • We define the scope, based on the requirements of your stakeholders (e.g. management, parent company, ordering parties or business contacts).
  • We define and establish the security policy and objectives.
  • We determine the required security organization, including roles, committees and their responsibilities.
  • We establish the necessary project organization for the development of the ISMS. 
3. Policies

No ISMS without clear rules

Create policies

We can only achieve the defined information security goals by establishing clear and unambiguous rules. We define these "rules" in various guidelines, both for all employees in the scope of the ISMS and for specific areas or target groups (e.g., IT admins, software development, purchasing, human resources, or facility management).

We do not reinvent the wheel here, but use our numerous templates. which have already been successfully tested in practice for several years and are regularly updated so that they always reflect the state of the art.

We agree the created guidelines with the necessary people in the specialist departments and integrate them into the relevant business areas. 

4. InfoSec Risk

Identify risks and derive measures

Information security risk management

Information security risk management (InfoSec Risk Management) is the heart of an effective ISMS according to ISO 27001, because it helps you to distinguish the important from the unimportant and always proceed pragmatically.

Jointly with you, we create the necessary structural and procedural organization to identify, assess, deal with (i.e. derive appropriate measures) and document all relevant information security risks in a structured and systematic manner.

If you already operate a risk management system or have your own risk management approach in your company, we will base our work on this and, if necessary, enrich it with relevant aspects of ISO 27001 that are missing.

5. Implementation

Eliminate deficits and implement requirements

Implement defined measures

Now it's time to implement the defined measures. In this phase, we provide very targeted coaching and also support you as needed in the event of any resource bottlenecks. It is important to us to prepare you or a member of your team as best as possible for your tasks as an information security officer.

During implementation, we place great emphasis on practicable solutions, i.e., on ensuring that the measures

  • contribute to achieving the desired level of security,
  • are economical and feasible, and
  • still meet the requirements of ISO 27001 incl. Annex A..
6. Pre-audit

Let's see how far we've come

Pre-audit & preparation session

ISO 27001 requires that you regularly perform internal ISMS audits in order to be ready for certification - with good reason. We support you in planning and conducting your internal ISO 27001 "pre-audit" here as well.

To ensure that we do not audit our own work here - which could lead to a significant conflict of interest - the internal ISMS audit is performed by an external ISO 27001 auditor from our partner network, who was not involved in setting up the ISMS in your company and is correspondingly neutral and independent.

These 'pre-audits' deliver a high level of benefit:

  • You receive a realistic status on your status and progress.
  • They fulfill the ISO 27001 requirement to conduct internal audits.
  • You prepare audit participants for the real audit sessions. If necessary, we coach the participants to confidently avoid "typical faux pas" in the real audit.
7. Certification

The fruit of labor

ISO 27001 Certification

The final step for most companies is ISO 27001 certification. This must be carried out by an accredited certification body. Although we ourselves act as ISO 27001 auditors for the certification body TÜV Nord CERT, we cannot audit you because we have already accompanied you in setting up your ISMS. After all, we cannot certify our own work.

But we can gladly establish contact with the certification bodies.

 

Looking for a personal consultation?

Let us get to know you in a web meeting and let's talk about your current situation and goals. We will show you how we have helped customers in similar situations.

Yes, let's talk

Meet the international standard

What is an ISMS according to ISO 27001?

The ISO 270xx series of standards is a collection of specifications and recommendations for security procedures and methods to plan, implement, operate and optimize an ISMS. These specifications can be used by companies or organizations of any size and in any industry.

The ISO 27001 standard is designed to be flexible, i.e., it does not recommend specific security solutions or discourage specific alternative solutions. ISO 27001 is a certifiable standard that is internationally recognized and widely used. It also lays the foundation for many other specific standards and best practice collections.

An ISMS according to ISO 27001 consists of

  • the PDCA cycle (Plan - Do - Check - Act),
  • a risk-based approach, and
  • the recommended measures (Annex A).

Other services that might interest you

ISO 27001 Gap Analysis Preview

ISO 27001 gap analysis: Assess the maturity of your ISMS, uncover gaps & improve compliance. Get your evaluation from our experts now!

Read more
Establishing a BCMS Preview

Protect your company with tailor-made business continuity management: avoid IT failures, minimize risks, secure core processes. Request support now!

Read more
Security awareness campaigns preview

Sensitize your employees, managers, administrators and developers with a holistic cyber security awareness campaign. 

Read more