Information security basics

Why is information security important?

The global volume of data is growing at an unprecedented rate. In 2023, approximately 328.77 million terabytes of data were generated every day. The total global data volume is estimated to reach 181 zettabytes by 2025, compared to 79 zettabytes in 2021.

This tremendous increase in data poses significant challenges for companies. The data must be securely stored and protected from cyber-attacks.

Every process now depends on the availability of the correct data, which is increasingly exposed to complex risks, including physical hazards such as fires and floods, unauthorised access, cyber-attacks, data breaches, and risks due to faulty data processing.

Companies can expect financial damage, reputational damage, and even legal consequences whenever data is lost, unavailable or stolen. As the amounts of data we deal with continue to increase alongside technological advances, so do the requirements to keep them safe.

Due to the recent global pandemic, the number of employees working from home, accessing the intranet from their private domestic Wi-Fi or even using their smartphones to run business apps has increased drastically. The consequence is that the potential threats and risks just keep growing.

A study by Bitcom indicates that 80% of the companies surveyed have experienced data loss, theft, economic espionage, or sabotage in the last 12 months of 2023.

Information security is all about protecting data and corporate assets from unintentional, self-inflicted incidents and from prying hacker attacks.

What is information security?

Information security (or InfoSec for short) covers how an organization may protect sensitive information, including policies and procedures to prevent unauthorized parties from accessing company information.

Information security is a growing, constantly evolving field that covers a wide range of topics. In addition to technical equipment, the security of a company’s processes and business activities is a focal point, as well as the qualification and trustworthiness of involved persons, whether staff, management, or suppliers.

Good to know:

• Information security describes the protection of corporate assets following at least three objectives.
  
  
• Information security is gaining importance as protecting corporate assets continues to become more vital and challenging at the same time.
  
  
• Information security plays a role across all industries. It is essential in highly software-driven and digital companies and those in highly regulated industries.

Definitions: Information security terms 

Information security describes the protection of information assets following at least three objectives:

• Confidentiality: Ensuring that information can only be accessed by authorised persons
  
  
• Integrity: Ensuring that information is protected against tampering and corruption
  
  
• Availability: Ensuring information is always available and can be restored if problems occur

While some international standards and norms define the requirements for information security and the measures necessary to ensure it, there is no legally binding framework in place.

Regarding information security, information assets include all data, information and goods that represent added value to an organisation’s operations and are vital to achieving business objectives.

For example:

• Hardware, software, data, databases, processes, and applications within an information system
  
  
• Devices, clouds, and other components of IT environments that process information
  
  
• Applications, general support systems (GSSs), staff, equipment, and collective system groups

It is helpful to take a closer look at the terms data, information, and knowledge to define information security further.

Data: Whether analogue or digital, the word ‘data’ is technically the plural of ‘datum’ and can refer to any character, value, or quantity with factual or statistical quality. In English, it is a mass noun, like ‘rice’ – which means it is uncountable and treated as a singular. For instance, 175.98 cm is a piece of data. Data forms the basis of information and knowledge. For that reason, data security is a frequently discussed element of information security: without safe data, there can be no safe information.

Information: Information arises when data is put into a specific context, i.e., through syntax or correlation. The data ‘175.98 cm’ turns into information when it is included in a row labelled ‘body height’ table. The information would thus read that the body height is 175.98 cm.

Knowledge: Knowledge is derived from pieces of information that are associated with one another and processed. ‘John Doe is 175.98 cm tall’ is an example of knowledge one might have about a particular person.

When we discuss data availability and knowledge management below, we are simply looking at knowledge in its different levels of abstraction.

Information security vs cybersecurity vs IT security

IT security is sometimes misleadingly used as a synonym for information security or cybersecurity.

The difference is information security focuses on the protection of information. The information itself is the asset. It exists independently of IT or cyberspace and requires protection in all its forms – whether as a file bursting with printouts or unique company know-how in your employees’ brains.

IT security refers to the IT infrastructure: everything from computers, servers, clouds, wiring and the like must be secure and protected from access by unauthorised persons. The purpose of an IT system is to transport and process information.

Finally, cybersecurity should be understood as a branch of IT security. It pertains to protecting information in cyberspace, i.e., information security on the web.

Every IT security measure contributes to information security, but not vice versa. Not every issue surrounding information security also relates to IT security. For example, effective HR policies can provide information security and will not depend upon an IT solution.

Information security: laws and certifications

Information security is gaining in importance. In recent years, numerous laws that directly deal with information security have been implemented or updated. This is partly due to the high pace of technological progress and digitisation that pose novel risks to today's business community.

At the same time, awareness is growing among consumers, B2B customers, investors, employees, and other stakeholders. Investors subject companies to intensive due diligence and put their information security under the microscope.

Certifications such as ISO 27001 and TISAX® are increasingly crucial in the competition.

Note: In industry jargon, the international standard in question is commonly referred to as ISO 27001. But its technically correct name is ISO/IEC 27001:2013, and the updated version is ISO/IEC 27001:2022.

Information security is crucial in these industries

Every company should take information security seriously, regardless of industry or size. However, the topic is significant in highly software-driven and digital companies and those in highly regulated industries. Take the healthcare industry, for instance: the nature of the market demands that companies meet strict minimum standards for information security – for example, to ensure doctor-patient confidentiality.

In the automotive industry, information security is highly related to the product: vehicles are so complex, and so many parties are involved in manufacturing that each product must pass through highly regulated approval processes before it can take to the roads. This means that all the actors involved in the supply chain must meet the requirements, from corporations and suppliers of medium-sized parts to advertising agencies and freelance consultants. Any actor involved in the supply chain must meet the industry-specific requirements for information security, with no exception.

Information security objectives

The three objectives of information security are:

• Confidentiality
  
  
• Integrity
  
  
• Availability

When companies implement protective measures for information security, they should always follow at least one of these objectives.

Extended models include:

• Non-repudiation
  
  
• Accountability
  
  
• Authenticity

Confidentiality

I’m going to tell you something in confidence.’

Everyone knows what that means: Don’t share what you are about to hear. Confidentiality in terms of information means the same. Information must be protected from unauthorized access by third parties. Who is authorized must be clearly defined.

Measures that seek to protect the confidentiality of information include:

• Encryption of data
  
  
• User access control
  
  
• Physical and environmental security
  
  
• Operational security
  
  
• Communications security

Integrity

A person with integrity is reliable. Regarding information security, integrity means that data or information are protected from being changed (either unintentionally or by unauthorised parties) and are, in this way, ‘reliable’.

It’s clear that confidentiality is a closely related concept, i.e., protecting data/information from unauthorised access. But integrity primarily means protection against unintentional changes. Unintentional changes are more likely to occur due to defective systems and processes than through human error.

Measures that seek to protect the integrity of information include:

• User access control
  
  
• Asset management
  
  
• System acquisition, development, and maintenance

Availability

What good is confidential and reliable data if it is unavailable to those who need it when they need it?

As an objective of information security, availability means building the technological infrastructure that makes data and information available. Or, in simple terms, preventing system failure.

If data is lost, a further task of information security is to restore operationality as soon as possible – for example, through backups.

Measures that seek to protect the availability of information include:

• Risk analysis
  
  
• System acquisition, development, and maintenance
  
  
• Incident management
  
  
• Business continuity management

The three extended objectives of information security: non-repudiation, accountability, and authenticity

If data is changed, the objectives of non-repudiation and accountability make it possible to attribute the changes in question to one single, indisputable identity – in the best case, a person. This can only be guaranteed through end-to-end identity management and change histories – for example, most CRM systems keep a log of when changes are made to contact and by whom. Thus, multiple users sharing a license results in a lack of non-repudiation and accountability.

The third extended objective, authenticity, describes how accurate information is and can be determined by a piece of information’s characteristics. To provide authenticity, you would want transparency regarding its source or provenance. Where was the information created, and who has “processed” it or added it?

What are the threats to information security?

When you hear ‘threats to information security’, most people immediately think of cyberattacks, organized crime, and espionage. And it’s true: criminal attacks – in particular on digital systems – pose a serious threat with far-reaching consequences.

And it’s not exclusively bad actors. Even a company’s employees can represent a threat to information security, intentionally or by accident. Further threats include defective systems and processes and physical threats through natural disasters.

Key points in brief:

• Information security can be compromised through natural forces, a company’s own employees, systems, processes, and cyber criminality.
  
  
• When hackers strike, it’s usually to blackmail companies into paying a ransom or simply steal data necessary to launch further hacks. Cybercriminals only rarely seek to gain intellectual property. Social engineering, insecure passwords, remote working, shadow IT and insecure cloud solutions pose the greatest vulnerabilities for hacker attacks.

Physical threats

In March of 2021, a fire broke out in a five-story OVH data centre in Strasbourg. 12,000 servers went up in flames, more than 100,000 websites across the world crashed and data lost in the blaze will never be recovered. The economic consequences were devastating.

What happened? Many of OVH’s customers had neglected to ensure their data was redundant. In short, there were no copies, and the companies were as at a loss.

At the end of the day, there is no guarantee that a data center is safe from fire, water damage or other forces of nature. Thus, one task of information security is business continuity management. Companies must remain operational, even if data stored in a data center is lost – a risk that any good risk analysis should discover. When choosing a data center or a cloud solution that processes business-critical information, one crucial factor in terms of information security is a high uptime guarantee.

Threats due to employees

Carelessness, poor training and lack of awareness among employees are among the most frequently mentioned factors that facilitate cyber criminality. Organizations must ensure that staff are aware of cyber risks – the UK cyber security breaches survey states that phishing attacks made up 80% of all cyber-attacks in 2023. Most cyber actors use social engineering techniques to gain access to the target organization’s networks. Therefore, training is crucial to preventing phishing attacks and avoiding vulnerabilities.

Cases of data theft by (former) employees rarely make it into the public awareness. On the one hand, such cases are difficult to prove. On the other, it is in a company’s interest not to publicize such news – except where required by data privacy legislation.

Typically, a company is most vulnerable to employee data theft during the onboarding and offboarding processes. New employees with extensive access to sensitive company data (e.g., Heads of IT or higher management) should be subjected to background checks. Employees should always hand back any information assets in their possession when they leave a company. In theory, at least. Whether an employee smuggles customer data out on a flash drive on their last day at work is difficult to prevent in practice.

Often, however, not even intentional data theft makes employees a threat to information security. Instead, it is the ‘human factor’ itself that poses the greatest vulnerability, particularly in cases of insufficient training resulting in a lack of awareness and staff taking risky shortcuts to meet deadlines to complete tasks or sometimes plain carelessness.

Threats due to systems and processes

Unless the systems for storing and processing data are fit for purpose, the objectives of information security will always remain out of reach. Take the objective of integrity, for example: to ensure the integrity of a company’s data, its IT systems must make it impossible for data to be manipulated without being noticed.

For example, suppose your company uses a tool that allows changing the number of an outgoing invoice after it's already been submitted. In that case, this might result in incoming payments being allocated to the wrong account. It would be better if the invoicing tool you use prevents data such as the invoice number from being changed once an invoice is issued.

Even self-programmed solutions can be prone to error when data is mistakenly overwritten, duplicated or otherwise modified. When that happens, your data no longer meets the integrity requirement. So, your IT system has to function effectively, alone and alongside other systems.

Threats due to cyber criminality

The global average cost of a data breach in 2023 was 4.45 million dollars –a 15% increase over three years. One thing is certain: Cyber criminality is on the rise and gets more expensive by the day. It primarily affects companies by stealing sensitive data, spying on digital communication and digital sabotage.

30% of all businesses in the UK have identified data breaches or attacks in the last 12 months, according to The Cyber Security Breaches Survey.

Phishing attacks are considered the most disruptive type of attack, but impersonation also has a high potential for damage. Consequences include website disruption, temporary loss of access to files or networks, corrupted systems, and stolen data.

The attacks pose a significant threat to companies. In the event of a successful attack, the attackers can block access to essential data and systems. This can lead to massive business disruption, especially for companies that rely on their IT systems. Massive business interruptions and financial losses can threaten the existence of attacked companies. Cyber-attacks have devastating consequences, especially for critical infrastructures such as hospitals and waterworks - with potentially drastic consequences for the civilian population.

The easiest way and first step to protect against cyber criminality is to train employees, carry out regular security updates and store data in a secure location. This is also an information security task: the acquisition, development and maintenance of secure systems.

What hackers want

Losing information such as customer or corporate data through, for example, ransomware attacks can weaken a company for hours, days or even weeks, causing damage both to its ability to compete and its reputation.

Most cyberattacks aim to pressure victims into paying a ransom for stolen or encrypted data sets. Hackers who steal email login data can use it to launch additional phishing attacks and heist sensitive information from the victim’s colleagues and business partners. In another increasingly popular strategy known as ‘crypto-jacking’, the criminal hijacks an unwitting victim’s computing power, mining cryptocurrency to line their own pockets.

Typical gateways for hacker attacks

1. Social engineering – the human factor

Social engineering is a blanket term for several malicious activities that seek to exploit every system’s greatest vulnerability: the user. Hackers might build trust with a company’s employees or blackmail them to get their hands on sensitive information such as passwords and credit card information. Typically, communication is digital. Cybercriminals pose as IT support or even the CEO and demand that employees hand over important information stat.

Once the fraudster succeeds in infusing the situation with stress, overwhelmed employees often lower their guard. They might fail to notice that the sender’s email address looks odd or the data request itself smells ‘phishy’.

2. Weak passwords

‘123456’, ‘password1’ and ‘abc123’ – weak yet often-used passwords such as these leave the door open to password spraying attacks, where hackers use software to try to guess a user’s password by entering commonly used character combinations. Passwords connected to the user’s personal life (e.g., the name of a partner, pet, or favourite vacation destination) make it even easier for hackers with intimate knowledge of their victim to guess their password.

It’s no surprise that hackers are so keen on finding out your password. After all, it can be the key to your personal information and company data, such as CRM data banks, email inboxes and more.

3. Shadow IT

Shadow IT refers to hardware and software employees use without the IT department's knowledge. Typical examples include browser plug-ins and messaging clients. Since they’re not part of the company’s official IT system, solutions like this are unprotected by the IT security concept. Despite this, insecure solutions are widely used and are a potential attack vector for malware or crypto jacking.

4. Home office (remote work)

Home office has been an integral part of the work routine since 2020. However, many companies are still not prepared to send their entire workforce to work from home with their processes and systems. As mentioned above, ransomware attacks proved to be a wildly successful strategy. Typical attack vectors for ransomware attacks are infected email attachments, downloads, and social engineering attacks.

5. Lack of due diligence in introducing cloud services

A report by Statista indicated that a staggering 15 million data records were compromised worldwide during the third quarter of 2022, marking a significant 37% increase from the previous quarter.

As attacks of this kind have been on the rise for years, it might seem a reasonable assumption that cloud services put companies at increased risk. But that’s not exactly right. The rising number of attacks simply expresses the increasing popularity and use of cloud services. Indeed, cloud services are often more secure than internally hosted IT, as they are subject to regular security updates.

But not all clouds are created equal. Some providers and solutions are fraught with breaches with respect to information security and data privacy. There is no way around it – before you start working with a new cloud service provider, due diligence is essential: is the provider’s information security management system certified? How has the service provider held up under penetration testing? What contractual guarantees does the service provider offer? Ensure that your SLA (Service Level Agreements) reflects the service your organisation requires.

What is an ISMS?

An Information Security Management System (ISMS) is a framework of policies and procedures used to manage an organization’s sensitive data and information security systematically. It encompasses processes, people, technology, and procedures that are designed to protect against unauthorised access, unauthorised use, disclosure, disruption, modification, or destruction of information. 

The primary objective of an ISMS is to effectively address and manage risks while also enhancing awareness of information security within the organisation. In this way, business continuity is ensured by proactively limiting the impact of a security breach. 

It provides a structured approach to the management and protection of information assets, defines how processes and activities related to information security are to be managed and outlines the roles and responsibilities of the personnel involved in managing information security.

Once you have built your ISMS, it is recommended to be certified to an international standard such as ISO 27001.

How is an information security management system (ISMS) set up?

When it comes to information security, an ISMS ensures transparency, repeatable processes and measurable KPIs. Put simply, a well-implemented ISMS means there are no more information security surprises lurking around the corner. Benjamin Franklin is said to have made the following statement that sums up the inverse point of an ISMS nicely: “When you fail to prepare, you prepare to fail.”

Putting an ISMS in place can only be successful when management truly backs the undertaking and provides the necessary resources. A company’s Information Security Officer (ISO) needs the trust of management, who in turn must give the ISO the ability to act. Without it, the ISO can’t bring together the people, tools, and processes necessary to ensure information security.

Key points in brief:

• An ISMS makes it easier for companies to calculate and control information security risks.
  
  
• In industries with intricate, highly regulated supply chains, such as automotive or healthcare, implementing an Information Security Management System (ISMS) is a crucial prerequisite for participating in the market.
  
  
• Moreover, while rarely a legal requirement, an ISMS is highly valuable and helpful to all companies.
  
  
• Management is always responsible for introducing and running an ISMS (top-down approach).
  
  
• The specific implementation and scope of an organisation's Information Security Management.
  
  
• System (ISMS) will be determined by its unique risk appetite.

The goal of an ISMS

As the name suggests, management systems for information security in companies are process-oriented and always a management-level responsibility. That is, an ISMS follows a top-down strategy. Management can delegate tasks related to implementation, but not the responsibility itself.

Management can match the level of measures and mechanisms they implement to their level of motivation, scaling the degree of information security in their company processes correspondingly.

Once the ISMS has been implemented, management must continuously monitor, evaluate, and adjust the scope, intensity, and progress of individual measures to ensure ongoing effectiveness.

Put simply, the goal of an ISMS is not to ensure maximum information security. Instead, an ISMS allows an organisation to achieve their desired level of information security. The decisive factor here is the organisation’s appetite for risk.

A company must have an overview of the information in its possession and the risks it is exposed to – as well as what it would cost if the risks materialized. Based on this knowledge, management can decide how much said risks should be reduced through an ISMS. So, ultimately, an ISMS is an instrument of financial risk management.

What are the benefits of an ISMS?

Implementing an Information Security Management System (ISMS) offers multiple benefits, including the opportunity to differentiate your organisation from competitors by upholding stringent information security standards, even in an unregulated market. This can attract and retain discerning customers who value robust cybersecurity practices.

Regardless of the industry or regulatory environment, implementing an Information Security Management System (ISMS) is a vital step towards boosting an organisation’s overall value and appeal to investors.

Businesses without an ISMS lack a comprehensive understanding of their crucial processes and information assets, hindering their capacity to effectively manage and safeguard sensitive data. Furthermore, in the pursuit of investor funding, an ISMS offers a robust framework for due diligence, showcasing the organization's dedication to data security and risk mitigation. The specific benefits of an ISMS are often influenced by the prevailing market forces and regulatory requirements of the industry in which the organisation operates.

Take the automotive industry, for example: for a company to enter this highly regulated market and act as a supplier in the supply chain, it must meet the industry requirements and have an ISMS in place.

Suffering from an information security incident is enough of a reason to act and implement an ISMS in your company. But it goes without saying that it would be better if it never even had to come to that in the first place.

How do I implement an ISMS in a company?

The requirements for establishing, implementing, maintaining, and continuously improving an ISMS are specified in the international standard ISO 27001. In terms of structure and operation, an ISMS basically follows a traditional PDCA cycle. (PDCA stands for plan, do, check, act.)

Create an ISMS guideline. Why do we, as a company, want to set up an ISMS? What are our goals? How will we organise our ISMS? Who will play the part of Information Security Officer (ISO), what resources will they have at their disposal, and what measures will they put in place?

1. Identify and classify assets. What assets/information do we want to protect? How sensitive are these assets/ this information anyway? In the automotive industry, for example, drawings of a vehicle in the planning stage would be significantly more sensitive than photos of a test model in a road test just before roll-out.
   
   
2. Establish ISMS organisation and risk management structures. What tools do we want to use? What financial and staffing resources will the ISO have at their disposal? What structures should the ISO establish?
   
   
3. Develop control mechanisms. How can we check whether our ISMS is effective and protects our corporate assets in the way we want it to?
   
   
4. Operate the ISMS. What processes do we put into action in day-to-day business? How will we integrate and document them?
   
   
5. Check results and KPIs. Questions like this must be routinely addressed: what results does our ISMS achieve? What key performance indicators (KPIs) can we derive from them?
   
   
6. Make corrections and take precautions. Where do we need to make changes to get better results? What can we do to prevent risks?
   
   
7. Review by management. Are our ISMS’s goals and general orientation still a fit for us? Does management need to course-correct? Management should review the ISMS with questions like these at least once a year or when there is a significant organisational change.
   
   

ISMS certification

Companies with a certified management system for information security benefit in several ways, not the least of which is the systematic identification and minimisation of risks to your IT systems, your business activities and processes and finally, your employees’ conduct at work.

In other words, companies with certified ISMS can manage their information security risks to a high degree of excellence demonstrable to the outside. This will increase the confidence that customers and potential partners have in your company’s ability to perform.

It is impossible to overstate the competitive edge this will afford you on the market. An ISMS can also serve as proof of compliance with industry and other legal requirements, such as applied to operators of critical national infrastructure (CNI).

One thing is certain: any investment and effort you put into certification is sure to pay off – especially if you’re facing a due diligence check. After all, the process will be significantly swifter and easier if your company already has ISO 27001 certification. As a bonus, ISO 27001 certification often greatly increases company value.

Key points in brief:

• ISO 27001 is the gold standard for information security management systems.
  
  
• ISO 27001 certification for your company’s ISMS is advisable if you wish or are required to provide proof of your information security to third parties.
  
  
• Certification by an accredited body is strongly recommended.
  
  
• The associated costs will greatly vary by company size, the complexity of the information security processes and the scope you wish to have certified.

Industry-specific certification schemes for information security management systems

Industry-specific certification schemes for information security management systems
ISO 27001 is the gold standard for information security management systems. However, the individual industry, market and national legislation may make other standards relevant.

Take Germany, for instance, where the Federal Office for Information Security (BSI) has developed the standards BSI 200-1 and BSI 200-2. As a 12-step system for implementing a compliant ISMS, is an especially interesting standard to local authorities and small and medium-sized enterprises.

When working with U.S. federal information systems, NIST (National Institute of Standards and Technology) Special Publication 800-53 is the relevant standard – or, with respect to financial reporting, the international Service Organization Control standards SOC 1 and SOC 2.

Accredited ISO 27001 certification

ISO 27001 certification for your company’s ISMS is advisable if you wish or are required to provide proof of your information security to third parties. But the certification isn’t free. Not only do you have to pay for auditing itself, but putting in place the requisite measures can also eat up a good deal of resources. It would, therefore, be aggravating if, for your efforts, you do not successfully pass the certification audit and all you get is a certification that is worth little or, worse, nothing.

There are several national and international accreditation bodies around the world. EU law stipulates that each member state has one national accreditation body – such as the Deutsche Akkreditierungsstelle (DAkkS) in Germany or the Hellenic Accreditation System (ESYD) in Greece.

In the USA, on the other hand, there are multiple accreditation bodies that serve different standards, among them the ANSI National Accreditation Board (ANAB) for ISO 27001 accreditation.

The UK follows the EU model, with one solely appointed national accreditation body, the United Kingdom Accreditation Service (UKAS). Currently, UKAS has accredited more than 150 certification bodies in the UK alone, 24 of which specifically offer accredited ISO 27001 certification.

While UKAS also offers ISO 27001 accreditation to foreign certification bodies as well, certifiers around the world typically pursue recognition by an international accreditation body such as the International Accreditation Board (IAB). Certification bodies accredited by IAB perform audits according to ISO 17021, an international standard for auditing management systems.

Certifications not confirmed by the international accreditation body are often not recognised by business partners. Indeed, most contracts that require ISO 27001 certification mean certification by an accredited body. For this reason, it is strongly recommended that a company pursue certification through an accredited body.

ISO 27001 certification: the costs

For companies seeking ISO 27001 certification, the implementation generally incurs the greatest cost. Meeting the various requirements can take months or even years, and third-party consultant services, often a must, rarely charge daily rates under € 1,500 (£1300).

The certification process itself pales in comparison to the run-up to it. But when it comes to your company’s implementation measures, the proof is in the pudding: if the certification body decides your company falls considerably short of compliance. If you fail the audit, you’ll have to arrange a new audit – the process starts over, and the costs increase.

A medium-sized company with 100 employees and relatively low process complexity per 15 to 20 employees can roughly expect an audit to wrap up in one day. For larger companies, audits will be more time-intensive.

The actual duration will naturally depend on how complex your information security processes are as well as on the scope you’ve defined for your ISMS to cover. Smaller companies with only one location, can expect certification to be upwards of € 10,000 (£7500). Certification bodies will provide an exact figure upon request.

Recertification: How long is ISO 27001 certification valid?

Putting information security measures in place is not a one-off project but a continuous process. For this reason, your company’s ISMS will need to be recertified from time to time. To stay compliant with ISO 27001, your certification will need to be renewed once every three years through an entirely new audit process. And the certifying body is required to carry out less extensive checks every year. If serious deficiencies are uncovered, certification can be revoked even before the three-year cycle is up. What’s more, ISO 27001 also requires companies to perform annual internal audits independently.

What are the requirements for jobs in information security?

In 2022, there was a global shortage of some 3 million cybersecurity professionals. And it’s no surprise, as the information security job profile brings together a unique skill set – a plurality of competencies that are rare in today’s jobs market, taken even on their own: in addition to a high degree of IT literacy, applicants also need to demonstrate in-depth knowledge of the standards and laws relevant to the field.

Moreover, the job is also one that frequently demands an aptitude for communication and negotiation. After all, information security processes can only work when all the involved company divisions cooperate – getting them to do so is just one more task where the cybersecurity professional must shine.

Information security experts are in high demand in the job market. Previous work experience and knowledge of ISO 27001 and information security management systems are essential for qualification.

Employees should have experience in the following areas:

• Implementation of IT security, including - only if relevant to critical infrastructure (CI) - an understanding of critical infrastructures 
  
  
• Setting up an ISMS
  
  
• Certifying an ISMS in accordance with ISO 27001 / TISAX®
  
  
• Managing information security incidents
  
  
• Staff training and awareness-raising activities
  
  
• Negotiations and project management

(Chief) Information Security Officer: an overview

The CISO, Chief Information Security Officer or Information Security Officer (ISO), is a manager who is responsible for information security in an organisation. They are responsible for the security of information, data, and systems.

The tasks of a CISO are varied and include:

• Developing and implementing cyber security strategies.
  
  
• Assessing risks.
  
  
• Developing and implementing security measures.
  
  
• Monitoring the security situation and training employees in cyber security. 

A CISO focuses their attention and efforts on securing the company's interests. The job is something of a balancing act between protecting information assets and ensuring seamless business operations. Normally, the position is directly subordinate to top-level management and works closely with the IT department as well as the compliance and legal teams.

The responsibilities of the CISO include:

• Protecting corporate assets from attacks and data breaches (in cooperation with the Data Protection Officer and IT)
  
  
• ISO 27001/27002 and TISAX® certification
  
  
• Introduction of an information security management system
  
  
• Choosing suitable methods and tools
  
  
• Risk management and advising company leadership
  
  
• Communication between departments

CISOs are often computer scientists or computer scientist graduates with advanced training or specialisation in the field of information security, in addition to years of experience. The job's responsibilities are not legally defined; a CISO’s day-to-day activities will depend significantly on the company itself and the respective industry. However, there are special cases in the public sector where the job profile is legally defined.

Depending on the company, the position of CISO can be filled by an internal employee or an external service provider.

Is outsourcing information security worth it?

Not every company has the resources or the will to implement and manage information security. In some cases, the internal team might need more support from the heavy documentation load. Perhaps the team doesn’t have the right expertise for a certain project or fails a due diligence audit...

When faced with challenges like these, it’s best to turn to an external service provider for guidance. The advantage is external services are quick to purchase, and the service provider’s experience means you skirt the timely onboarding process.

A good provider will assign you a personal contact, your go-to for all the challenges your company faces, with the know-how from past experiences to overcome them.