ISO 27001 based on the IT baseline protection certification
How does a certification according to ISO 27001 based on IT baseline protection work?
A certification by the BSI in accordance with ISO 27001 based on IT baseline protection confirms that you have taken all the organisational, infrastructural and technical measures of information security for a defined scope or for your entire company. For this, it is necessary that an IT baseline protection or ISO 27001 auditor licensed by BSI inspect the implementation of the measures (certification audit) and create an audit report.
Should the auditor determine that all relevant measures are implemented, the report can be sent to the BSI and an application for certification can be submitted. The BSI then issues an ISO 27001 certificate based on IT baseline protection.
Such a certificate is internationally recognised and more convincing than a mere ISO 27001 certificate, because in this case – in addition to the general requirements of ISO/IEC 27001 – the concrete requirements of baseline protection must be met.
Preparation for the BSI baseline protection certification
Initially – comparable to an IT structural analysis according to the IT baseline protection manual – the ‘subject matter’ to be examined is specified in a respective data protection or security policy. This can occur via documentation or information provided by employees and should be completed by a security check. Thereby, the following range of topics are typically considered:
Data security policy
- Organisation and regulations
This first section is intended to provide insight into the organisational structure and departments as well as the tasks of the customer, in order to become familiar with the relevant ‘subject matter’. Typical questions to be answered within this context are: Does a security policy exist and the derived security guidelines? Are there documented security objectives? Are the ‘values’ of the company defined? Are possible attacks addressed? Are there legal regulations, standards or other obligations that must be met? Are there corporate guidelines for using the Internet and email?
- IT architecture
The focus of these topics is the IT association. Additionally, the following is to be determined:
- Network plan
- IT structure: client, server, network printers, hubs, switches, routers, laptops
- Connections: Ethernet, backbone technology
- External connections: Internet and remote access
This contains a deeper insight into the technical details according to an overview of: specifications on IP addresses, the firewall, the servers and clients, the technical equipment for backups or a redundancy system, including the details for the selected systems.
In the foreground, the applications used along with data types and access authorisations are identified.
- Personal as well as data protection and data security management
The ‘personal’ area initially contains the current state of the administrators and users of the systems and then addresses the handling of the systems, for example:
- Dealing with security incidents
- Handling passwords
Within this context, access rights and responsibility are considered as well as handling personal, financial or customer data in compliance with data protection.
- Buildings and premises In this section, the security of buildings and spaces will be discussed: Are there measures to counteract dangers such as force majeure, organizational defects, technical failures or intentional acts? Is there a monitored locking system? Is an alarm system installed? Is the power supply uninterruptible? Are requirements regarding fire protection, theft and air conditioning implemented?
Analysis of the current situation and its improvement
During the analysis of the current situation, the following questions are addressed in particular:
- Are the aspects for handling personal data specified in the data protection policy in compliance with legal regulations?
- Are the security objectives chosen adequately?
- Are security measures of the IT infrastructure described in the data security policy sufficient?
- Is the security of Internet and server access guaranteed?
Standard information is typically used to carry out an analysis, for example the selected measures from the IT baseline protection manual. As the conclusion of an analysis, improvement recommendations are usually formulated and discussed with the customer such that the existing data protection and/or data security policies can be changed.
Technical support during the implementation of the BSI certification
The BSI baseline protection catalogues stipulate the implementation of a very large number of specific sets of measures for successful certification according to ISO 27001 based on IT baseline protection. Verifying this implementation in the audits for certification, surveillance and recertification is mandatory. The correct implementation of the relevant measures is thus essential. activeMind can support you with this:
- We help you determine the measures from the baseline protection catalogue that are actually relevant.
- We assist you with the requisite justification of exceptions in the implementation.
- We can also support you with practical implementation. Here, we assist you with proceeding as efficiently and effectively as possible and with using proven solutions.
- We offer you the opportunity to have us directly examine the degree to which the measures have been implemented.
- We help you create appropriate monitoring systems that enable you to monitor your processes, with the maximum possible automation, and provide the required evidence.
Our expertise for your company
activeMind AG creates, documents, analyses, optimises and audits data protection and data security policies for companies and public authorities. Our CEO Klaus Foitzick is a recognized BSI auditor and has inspected numerous companies within the framework of the certification audit. The Chamber of Industry and Commerce in Munich, Germany [Industrie und Handelkammer München], the Chamber of Tax Consultants in Bavaria [Steuerberaterkammer Bayern], and many other institutions utilize our experts.
The standards for creating data protection and data security policies, according to which an audit with subsequent certification is also possible, have already been established – e.g. the BSI IT baseline protection manual or ISO/IEC 27001. These standards are excellent and proven tools, which serve as the foundation for the creation, consultation and audit of data protection and data security policies that activeMind AG provides its customers.
We have prepared the ISO 27001 audit questions for you in an understandable way.
Nevertheless, the market demands the creation of data protection and data security policies in order to practically improve the level of security of the IT landscape and the handling of personal data, to increase procedural transparency and to document the legal requirements – without having to fully comply with the seemingly extensive standards or methods.
Thus, activeMind AG has developed a methodology that uses recognized standards but is initially limited to the essential aspects of IT security. Should a customer desire a certified security policiet based on the IT baseline protection manual or the ISO 27001 standard, this method can be expanded at any time to include the standard topics.