ISO 27001 defi­nes the requi­re­ments for an Infor­ma­ti­on Secu­ri­ty Manage­ment Sys­tem (ISMS). This defi­nes a con­ti­nuous impro­ve­ment pro­cess (CIP, see Link) which enables the com­pa­ny to deter­mi­ne the neces­sa­ry secu­ri­ty mea­su­res in a risk-ori­en­ted approach and sub­se­quent­ly to imple­ment and con­ti­nuous­ly impro­ve them. Often an ISMS is per­cei­ved as a soft­ware tool, which it is not. The ISMS is a metho­do­lo­gy and pro­ce­du­re that does not neces­s­a­ri­ly requi­re a soft­ware tool in the first step. In lar­ger com­pa­nies, of cour­se, soft­ware can sup­port this metho­do­lo­gy, espe­ci­al­ly if seve­ral depart­ments or peo­p­le are invol­ved in the ope­ra­ti­on of the ISMS.

What are the most com­mon moti­va­tions for ISO 27001 certification?

1) The com­pe­ti­ti­ve advantage

Using a 27001 cer­ti­fi­ca­ti­on for mar­ke­ting and sales as an argu­ment to cus­to­mers that the com­pa­ny has a pro­ven track record of adhe­ring to reco­gni­zed stan­dards in the area of infor­ma­ti­on security.

2) Lia­bi­li­ty of the com­pa­ny management

Imple­men­ting and cer­ti­fy­ing an IS manage­ment sys­tem can redu­ce management’s per­so­nal lia­bi­li­ty by avo­i­ding orga­niza­tio­nal culpability.

3) The role for cus­to­mers of the com­pa­ny and imple­men­ta­ti­on of sta­te of the art.

The company’s cus­to­mers can use ISO 27001 cer­ti­fi­ca­ti­on as gua­ran­tees under the Artic­le 28 of the GDPR (Pro­ces­sors) and Artic­le 32 (Data Secu­ri­ty Mea­su­res), among others.

4) Advan­ta­ges or bene­fits for the company

Pro­of that secu­ri­ty is taken care of and that this is con­firm­ed by an inde­pen­dent body (the certifier).

5) Advan­ta­ge for the management

Pro­of that manage­ment is taking care of busi­ness-cri­ti­cal tasks such as IT security.

The imple­men­ta­ti­on of ISO 27001 enables a com­pa­ny to achie­ve and main­tain an appro­pria­te level of secu­ri­ty. This par­ti­cu­lar­ly requi­res manage­ment sup­port (often refer­red to as manage­ment com­mit­ment) and a wil­ling­ness not only to wri­te this method down, but also to actively inte­gra­te it into busi­ness processes.

The cost-effec­ti­ve alternative

Some com­pa­nies use an approach based on the metho­do­lo­gy and requi­re­ments of ISO 27001, but wit­hout per­forming the final cer­ti­fi­ca­ti­on. In this approach, the com­pa­ny reli­es on inter­na­tio­nal­ly reco­gni­zed methods and stan­dards. In this case, imple­men­ta­ti­on is achie­ved in many are­as in accordance with the cur­rent sta­te of the art.

Does the new Net­work and Infor­ma­ti­on Sys­tems Secu­ri­ty Act (NISG) affect me and does it requi­re ISO 27001 certification?

The NISG (https://www.ris.bka.gv.at/Dokumente/BgblAuth/BGBLA_2018_I_111/BGBLA_2018_I_111.html) only con­cerns defi­ned sec­tors defi­ned in §2 of the Act:

Ener­gy, trans­port, ban­king, finan­cial mar­ket infra­struc­tures, health­ca­re, drin­king water sup­p­ly, digi­tal infra­struc­tures as ope­ra­tors of essen­ti­al ser­vices. In addi­ti­on, pro­vi­ders of digi­tal ser­vices, such as online mar­ket­places, online search engi­nes and cloud com­pu­ting ser­vices, as well as public admi­nis­tra­ti­on bodies.

Whe­ther a com­pa­ny must com­ply with the requi­re­ments of the Net­work and Infor­ma­ti­on Sys­tems Secu­ri­ty Act as an ope­ra­tor of essen­ti­al ser­vices will be deter­mi­ned by the Chan­cell­or and is expec­ted to be sent to the affec­ted com­pa­nies start­ing in ear­ly Q2 2019.

As a pro­vi­der of digi­tal ser­vices, you have to take action yours­elf and check whe­ther the requi­re­ments of the NISG have to be met.

For ope­ra­tors of essen­ti­al ser­vices in Aus­tria, the­re is no ISO 27001 cer­ti­fi­ca­ti­on obli­ga­ti­on, but the­re is an obli­ga­ti­on in the spe­ci­fied divi­si­ons of

  1. Gover­ance and risk management
  2. Deal­ing with sup­pli­ers and third parties
  3. Secu­ri­ty architecture
  4. Sys­tem administration
  5. Iden­ti­ty and access management
  6. Sys­tem main­ten­an­ce and operations
  7. Phy­si­cal security
  8. Inci­dent detection
  9. Inci­dent management
  10. Ope­ra­tio­nal continuity
  11. Cri­sis management

to imple­ment appro­pria­te mea­su­res and to pro­vi­de evi­dence of ope­ra­tio­nal effec­ti­ve­ness through regu­lar audits within a peri­od of 3 years.

Alt­hough the­re is no ISO 27001 cer­ti­fi­ca­ti­on requi­re­ment, we belie­ve it is essen­ti­al to estab­lish a struc­tu­red approach. The map­ping of the divi­si­ons with the requi­re­ments of ISO 27001 is recom­men­ded here. In con­clu­si­on, the use of ISO 27001 is sen­si­ble and recom­men­ded, as the CIP pro­cess can be used for the NISG evidence.

How important is the imple­men­ta­ti­on of an ISMS sys­tem accor­ding to ISO 27001 for sup­pli­ers of lar­ge customers?

As a sup­pli­er of lar­ge cus­to­mers, e.g. for the auto­mo­ti­ve indus­try, ener­gy indus­try or phar­maceu­ti­cal indus­try, it is almost indis­pensable to be able to pro­ve that appro­pria­te mea­su­res for the pro­tec­tion of infor­ma­ti­on and per­so­nal data have been imple­men­ted. Lar­ge cus­to­mers often alre­a­dy demand ISO 27001 cer­ti­fi­ca­ti­on as a mini­mum requi­re­ment from their sup­pli­ers. This may not yet have a direct impact on cur­rent con­tracts, but it is expec­ted that ISO 27001 cer­ti­fi­ca­ti­on will be man­da­to­ry for sup­pli­ers in the future. The com­pa­nies are the­r­e­fo­re well advi­sed to deal with an ISMS imple­men­ta­ti­on and the ISO 27001 topic at an ear­ly stage and to plan it carefully.

The cli­ents see the fol­lo­wing advan­ta­ges in requi­ring a 27001 cer­ti­fi­ca­ti­on of their suppliers:

  • Appli­ca­ti­on of the cer­ti­fi­ca­ti­on as a gua­ran­tee in terms of DSGVO Artic­le 28 — Processor.
  • Incre­asing the trust­wort­hi­ness of the sup­pli­er when pro­ces­sing sen­si­ti­ve infor­ma­ti­on of a principal
  • Reduc­tion of effort in ven­dor manage­ment, as indi­vi­du­al secu­ri­ty requi­re­ments no lon­ger have to be nego­tia­ted with the supplier
  • Reduc­tion of effort in sup­pli­er audits with regard to infor­ma­ti­on security
  • Hig­her rating in sup­pli­er sel­ec­tion for cer­ti­fied companies

Com­pa­nies that are alre­a­dy plan­ning to use ISO 27001 cer­ti­fi­ca­ti­on may alre­a­dy have a com­pe­ti­ti­ve advan­ta­ge over ven­dors that can­not demons­tra­te a struc­tu­red approach to their infor­ma­ti­on secu­ri­ty or are plan­ning to do so.

Which other com­pa­nies are alre­a­dy ISO 27001 certified?

In a sur­vey con­duc­ted in Febru­ary 2019, around 150 com­pa­nies in Aus­tria are cer­ti­fied to ISO/IEC 27001.

The top pro­vin­ces with cer­ti­fied companies:

Vien­na: 61% of ISO 27001 cer­ti­fied com­pa­nies are from Vienna.
Upper Aus­tria: 10%
Sty­ria: 9%
Tyrol: 7%
Vor­arl­berg: 6%

Among the indus­tries, the IT sec­tor domi­na­tes by a wide mar­gin, with a num­ber of data cen­ters and Inter­net ser­vice pro­vi­ders having obtai­ned ISO/IEC 27001 cer­ti­fi­ca­ti­on in recent years.

The top indus­tries with ISO 27001 certification:

  1. IT: 37% of the ISO 27001 cer­ti­fied com­pa­nies belong to the IT sector.
  2. Ener­gy and water sup­p­ly: 14%
  3. Real estate: 12
  4. Indus­try: 9%
  5. Public sec­tor: 9%
  6. Health and social ser­vices: 7%

The num­ber of ISO 27001 cer­ti­fied com­pa­nies in Aus­tria is signi­fi­cant­ly lower than the avera­ge in other count­ries such as Ger­ma­ny. One reason for this may be that ope­ra­tors of cri­ti­cal infra­struc­tures have to pro­ve ISO 27001 cer­ti­fi­ca­ti­on accor­ding to the IT Secu­ri­ty Act 2016 (com­pa­ra­ble to the Aus­tri­an NISG of 2018) and this is not the case in Aus­tria. The­re are only sel­ec­ted accre­di­ted cer­ti­fi­ca­ti­on com­pa­nies, the essen­ti­al work lies in the struc­tu­red sup­port of the certification.

For this we will give tips for a suc­cessful start of a cer­ti­fi­ca­ti­on in one of the next articles.