Information Security Management

To ensure the information security of our company and to be ISO 27001 certified, we operate an Information Security Management System, in short ISMS. This system must be maintained by a group of people with defined leadership.

  • The ISMS is a set of procedures and guidelines within a company, which serves to define, control, monitor, maintain and continuously improve information security.

  • ISO 27001 is an international standard that describes how information security in a company can be ensured with an Information Security Management System ISMS.


Work Group Information Security Management


Role keeper of CISO



Core Tasks

  • Maintain our Information Security Management System.

  • Define policies regarding information security.

  • Define processes to identify and mitigate information security threats.

  • Ensure the ISO 27001 certification.

  • Ensure the yearly ISAE 3402 report.

  • Ensure the risk management process.

  • Handle Security Incidents that fall into the scope of the ISMS.

  • Prepare yearly Management Review.

  • Prepare, organize and hold employee educations on ISMS relevant policies and topics.

  • Prepare, organize and support recurring internal and external audits.

  • Support VSHN teams in compliance questions.

  • Define processes to identify and mitigate information security threats.

  • Conduct a comprehensive risk analysis and risk mitigation.

  • Moderate acceptable risk approval.


  • The Management has to approve new policies and policy changes to ISMS policies which are marked as to be approved by management.

    • The CISO can directly approve all other ISMS policy changes.

  • There is a yearly Management Review of the ISMS approved by the Board.

  • Defined, acceptable risks need approval by Board.

Evaluation Criteria

  • Security Incidents are coordinated and handled according to ISMS policies.

  • VSHN has a yearly ISAE 3402 Type 2 report.

  • VSHN is ISO 27001 certified.

  • Policies documented in our Wiki.

  • Policies documented in our Handbook.

This domain is tracked and reviewed as VIP-43