External Information Security Officer (ISO)

Icon Information Security, © NESEC GmbH

In many companies, especially medium-sized companies, a specialist is appointed for data protection, the external data protection officer (DPO), who takes care of data protection issues with a high level of expertise. However, the topic of information security, although just as important, is too often simply assigned to an employee from IT. In times of daily IT security incidents, high losses caused by hackers and ransomware, this approach is no longer up to date.

Many companies are increasingly demanding information and proof of information security as part of their supplier evaluations. In some cases, an information security management system (ISMS), ideally certifiable in accordance with ISO 27001, TISAX or VdS 10000, is required directly. In particular, many companies must ensure that critical suppliers do not fail as a result of an attack and that they themselves would then no longer be able to deliver. Cybersecurity insurance companies are also required to provide evidence of information security, including existing certifications, in order to cover high losses, and even auditors have to take into account IT risks that could jeopardize the company's continued existence.

An external information security officer (ISO) can provide you with targeted support in implementing a certifiable information security management system.

Tasks of the External ISO

As part of our work as an external information security officer, we take on the following tasks:

  • Advising management on the selection of a suitable security standard for your company, taking into account your requirements, e.g. ISO 27001, VdS 10000, etc.
  • Supporting the management in drawing up the information security guideline (information security policy) and advising on all information security issues
  • Creation of information security guidelines and any other necessary documents
  • Monitoring the implementation of the guidelines and checking the level of security actually achieved
  • Creating and updating the emergency concept and planning emergency drills in conjunction with IT management
  • Raising awareness and training your employees on IT security issues
  • Central point of contact for all information security issues, particularly in project management, within the company and for third parties
  • Support in IT risk management both in IT operations and in projects
  • Checking the IT security implemented by suppliers and IT service providers
  • Regular reports to the management on the status of information security
  • Investigating information security incidents and reporting to management

In particular, the ISB is not directly involved in IT management and is not authorized to issue instructions to IT operations, but merely plays an advisory and auditing role. The introduction of IT security guidelines in the company and the implementation of proposals to improve information security is carried out by the existing management levels.

Integration into Existing Management Systems

An ISMS rarely stands alone, but is usually integrated into other, often already existing management systems. For example, if your company is already certified to ISO 9001 or another comparable ISO standard, it makes sense to create an integrated QMS/ISMS, as the requirements of the management systems overlap, e.g. with regard to improvement programs or interested parties, and work does not have to be duplicated.

We therefore coordinate closely with your quality management or those responsible for other existing management systems and integrate the ISMS into your existing system.

The ISMS Grows With You

Nobody forces you to start with the largest and most comprehensive standard. In many companies, the first goal is to improve information security and put it on a stable foundation. This foundation is the security guidelines, from which the technical IT security measures are then derived.

If you do not yet have any IT security guidelines at all, we can start small together:

  1. With a cyber security check, we examine the information security actually in place as well as existing regulations in your company.
  2. If no regulations exist yet, we introduce an information security management system in accordance with VdS 10000, a lightweight standard that can be easily expanded. Of course, you can decide for yourself whether you want to have your ISMS certified or not.
  3. If external requirements are added, e.g. because your customers specifically demand ISO 27001 certification, we expand the VdS 10000 ISMS into a fully-fledged ISO 27001 ISMS with additional guidelines and measures. The previously created guidelines are not lost, but can be adopted in full. Of course, we also accompany you through the ISO 27001 certification process.
  4. If necessary or desired, we can prepare you for further industry-specific audits, e.g. TISAX for automotive or an audit in accordance with BSIG § 8a for KRITIS companies.

All our employees have the necessary and useful certifications, e.g. as a recognized VdS 10000 consultant, ISO 27001 Lead Auditor or with the extended audit competence according to BSIG § 8a.

Our Service

We provide your company with an external information security officer (ISO), advise you on all aspects of information security and introduce a certifiable information security management system (ISMS) in your company.