We prepare you for all important certifications of information security, advise you on all necessary aspects and jointly develop concepts and strategies.
- ISO 27001 & 27002 consulting
- ISO 27019 & IT-SiKat consulting
- TISAX® consulting
- BSI Baseline Protection
- KRITIS consulting
- EU-GDPR consulting / ISO 27018
ISO 27001 & 27002 consulting
Various laws require information technology to be considered in an attributable and integrated way and legally binding proof of protective measures to be provided. In addition, information security is an ever-increasing success and trust factor for companies and institutions. The international standard ISO/IEC 27001 represents one of the best known and most widely recognized frameworks in the international environment for representing a reliable information security management system.
Any implementation of ISO/IEC 27001 stands or falls with a scoping process aligned with an organization’s business strategy. The challenge is to find the ideal balance between economic and functional aspects. In the context of a GAP analysis, we define the measures necessary to meet the requirements.
We determine at an early stage of the project which measures must be implemented directly and areas where later implementation will suffice. Our results show you concrete potential for improvement. On the basis of a reliable project plan, which shows all the work and time specifications, you can decide for yourself where we are able to support you.
(Source: www.hisolutions.com/security-consulting/informationssicherheit/iso-27001)ISO 27019 & IT-SiKat Consulting - Standard for information security in the energy utility industry
The international standard on information security for the energy utility industry sets out the guideline for an information security management system (ISMS) that pursues the goal of ensuring functional and reliable operation of control and automation technology. This involves systems and networks for controlling, regulating and monitoring the extraction, generation, transmission, storage and distribution of electrical energy, gas, oil and heat. The term process control technology includes communication technology as well as control, automation, protection, safety and measurement systems. A holistic view that includes the associated IT and OT systems is essential to ensure a reliable power supply. All processes and systems applied within an organization must also be considered. The updated standard requires, for example, that operators of critical infrastructure in the energy sector demand an equivalent level of security from relevant service providers and document this. The process is analogous to certification according to ISO 27001.
Benefits of ISO 27001 or 27019 certification:
- Internationally accredited proof of the effectiveness of the security concept
- Stronger legal certainty in critical security matters
- Systematic realization of the protection goals of information security
- Maintenance and continuous increase of the security level
- Integration of appropriate measures to provide protection against all types of threats
- Strengthening of the security awareness of employees
- Building trust with regard to cooperation with external organizations
Procedure for TISAX certification:
- Definition of the scope and assessment level
- Kick-off, document review and self-assessment
- On-site assessment or remote assessment with interim report
- Planning, approval, implementation and subsequent evaluation of corrective actions
- Effectiveness audit
- Posting of the final report to the TISAX® online platform and issuing of the test labels
Advantages for a company:
- Gaining the trust of all stakeholders
- Meeting the needs and requirements of suppliers and customers
- Fulfilling the high safety requirements of the automotive industry
- International recognition of the safety level by the automotive industry
- Avoiding multiple certifications and assessments
- Time and cost savings through greater efficiency
- Greater transparency along the entire supply chain
- Anchoring information security in the company
- Continuous maintenance of the information security level once achieved
- Competitive advantage through differentiation from market competitors
BSI Baseline Protection based on ISO27001 Consulting
The IT Baseline Protection methodology is defined in BSI Standard 200-2 and contains a practical description of how to set up and operate an ISMS. The main topics here are:
- Role of the ISMS
- Establishment of organizational structure of the IS
- Selection of the security requirements & implementation of the security concept
- Continuous improvement and maintenance of the IS
- Selecting the approach or level of protection based on the initial assessment so that IT Baseline Protection can be adapted to the requirements of organizations of different sizes, industries and functions according to protection requirements.
- Target: Cost-effective and targeted ISMS, reduction in work
- Entry point into the security process
- Initiation of an ISMS
- Reduction of risks as quickly as possible
- Subsequent detailed analysis of the actual safety requirements
- Comprehensive and in-depth methodology
- BSI preferred approach
- ISO 27001 compatible
- In-depth protection of particularly important business processes and assets
- Also possible as an entry point into the security process to secure particularly vulnerable business areas
The German Federal IT Security Act passed in 2021 consolidates the role of the BSI (Federal Office for Information Security) as the central authority for information security and digitalization. As Germany’s cyber security authority, it has far-reaching powers and authority to identify security vulnerabilities or prohibit the use of critical components in security-critical areas. A central component of the revised law is the change with regard to the security of critical infrastructure operators and their systems. CRITIS (critical infrastructure) regulation has been significantly expanded by the IT Security Act 2.0. The following changes have come into force in the course of this:
- Detection of attacks must be implemented on a mandatory basis for operators of critical infrastructures. In practice, this requirement can be addressed by a SIEM and a SOC.
- In the event of a malfunction, CRITIS operators and UNBÖFI are obliged to provide the BSI with all data required to manage the disruption on request.
- The Ministry of the Interior must be notified of the use of critical components by CRITIS operators in certain sectors. Critical components are IT products in CRITIS facilities on whose functionality the operation of the facility significantly depends and in which a failure of such a component would have a significant impact on the function of the facility.
- Immediately after being identified as a CRITIS operator, they must register with the BSI and designate a contact point.
- The scope of the CRITIS sectors was extended to include the municipal waste management sector and thresholds for critical infrastructure operators were significantly lowered, while new CRITIS facilities were added.
Our custom-fit ISMS CRITIS concept is delivered with you and for you in the following phases:
- Phase 1: Workshop/coaching to define the basic structures
- Phase 2: Establishment and integration of an information security management system
- Phase 3: Implementation of the defined information security measures at the sites
- Phase 4: Support for the audit according to Section 8a CRITIS Regulation
EU-GDPR Consulting / ISO 27018 as an internationally certified cloud standard
This standard sets out data protection requirements that deal with processing of personal data for cloud service providers. ISO 27018 certification is a decisive criterion for many when selecting a cloud service provider. Accordingly, the advantages of this certification are:
- Competitive advantage through differentiation from market competitors
- Strengthening the confidence of potential customers in your company
- High level of compliance with the GDPR and the EU Data Protection Directive