Information Security Management
To ensure the information security of our company and to be ISO 27001 certified, we operate an Information Security Management System, in short ISMS. This system must be maintained by a group of people with defined leadership.
-
The ISMS is a set of procedures and guidelines within a company, which serves to define, control, monitor, maintain and continuously improve information security.
-
ISO 27001 is an international standard that describes how information security in a company can be ensured with an Information Security Management System ISMS.
Accountable |
Work Group Information Security Management |
---|---|
Lead |
Role keeper of CISO |
Delegator |
Board |
Core Tasks
-
Maintain our Information Security Management System.
-
Define policies regarding information security.
-
Define processes to identify and mitigate information security threats.
-
Ensure the ISO 27001 certification.
-
Ensure the yearly ISAE 3402 report.
-
Ensure the risk management process.
-
Handle Security Incidents that fall into the scope of the ISMS.
-
Prepare yearly Management Review.
-
Prepare, organize and hold employee educations on ISMS relevant policies and topics.
-
Prepare, organize and support recurring internal and external audits.
-
Support VSHN teams in compliance questions.
-
Define processes to identify and mitigate information security threats.
-
Conduct a comprehensive risk analysis and risk mitigation.
-
Moderate acceptable risk approval.
Constraint
-
The Management has to approve new policies and policy changes to ISMS policies which are marked as to be approved by management.
-
The CISO can directly approve all other ISMS policy changes.
-
-
There is a yearly Management Review of the ISMS approved by the Board.
-
Defined, acceptable risks need approval by Board.