Home / Security / ISO 27001 Preparation And Implementation / ISO 27001 based on IT baseline protection for Information Security

ISO 27001 based on IT baseline protection for Information Security

Data security policy

  • Organization and regulations
    This first section is intended to provide insight into the organizational structure and departments as well as the tasks of the customer, in order to become familiar with the relevant ‘subject matter’. Typical questions to be answered within this context are: Does a security policy exist and the derived security guidelines? Are there documented security objectives? Are the ‘values’ of the company defined? Are possible attacks addressed? Are there legal regulations, standards or other obligations that must be met? Are there corporate guidelines for using the Internet and email?
  • IT architecture
    The focus of these topics is the IT association. Additionally, the following is to be determined:
  1. Network plan
  2. IT structure: client, server, network printers, hubs, switches, routers, laptops
  3. Connections: Ethernet, backbone technology
  4. External connections: Internet and remote access

This contains a deeper insight into the technical details according to an overview of: specifications on IP addresses, the firewall, the servers and clients, the technical equipment for backups or a redundancy system, including the details for the selected systems.

  • Applications
    In the foreground, the applications used along with data types and access authorizations are identified.
  • Personal as well as data protection and data security management
    The ‘personal’ area initially contains the current state of the administrators and users of the systems and then addresses the handling of the systems, for example:
  1. Administration
  2. Revision
  3. Dealing with security incidents
  4. Sensitisation
  5. Handling passwords

Within this context, access rights and responsibility are considered as well as handling personal, financial or customer data in compliance with data protection.

  • Buildings and premises, the security of buildings and spaces will be discussed: Are there measures to counteract dangers such as force majeure, organizational defects, technical failures or intentional acts? Is there a monitored locking system? Is an alarm system installed? Is the power supply uninterruptible? Are requirements regarding fire protection, theft and air conditioning implemented?

Analysis of the current situation and its improvement

During the analysis of the current situation, the following questions are addressed in particular:

  • Are the aspects for handling personal data specified in the data protection policy in compliance with legal regulations?
  • Are the security objectives chosen adequately?
  • Are security measures of the IT infrastructure described in the data security policy sufficient?
  • Is the security of Internet and server access guaranteed?

Standard information is typically used to carry out an analysis, for example the selected measures from the IT baseline protection manual. As the conclusion of an analysis, improvement recommendations are usually formulated and discussed with the customer such that the existing data protection and/or data security policies can be changed.

Technical support during the implementation

Arab Expert can support you with this:

  • We help you determine the measures from the baseline protection catalogue that are actually relevant.
  • We assist you with the requisite justification of exceptions in the implementation.
  • We can also support you with practical implementation. Here, we assist you with proceeding as efficiently and effectively as possible and with using proven solutions.
  • We offer you the opportunity to have us directly examine the degree to which the measures have been implemented.
  • We help you create appropriate monitoring systems that enable you to monitor your processes, with the maximum possible automation, and provide the required evidence.

Our expertise for your company

Arab Expert creates, documents, analyses, optimizes and audits data protection and data security policies for companies and public authorities.

The standards for creating data protection and data security policies, according to which an audit with subsequent certification is also possible, have already been established – e.g. the Arab Expert IT baseline protection manual or ISO/IEC 27001. These standards are excellent and proven tools, which serve as the foundation for the creation, consultation and audit of data protection and data security policies that Arab Expert provides its customers.

We have prepared the ISO 27001 audit questions for you in an understandable way.