- IT Security
- SAP Security
- IT Infrastructure
- Managed Services
- Professional Services
- Security TV
Compliance with clearly defined standards
The term "compliance" refers to the adherence to regulations that affect an organisation internally and externally. Internally, these regulations can consist of policies or procedures defined within the company. Externally, they can be derived from general and industry-specific laws, guidelines, contractual framework conditions, and voluntary codes.
As confirmed by the German Act on Control and Transparency in Business (KonTraG) and the German Corporate Governance Code, the management is responsible for compliance.
Vital corporate processes are increasingly being mapped with information technology (IT). As a result, requirements can usually only be complied with with the help of suitable IT control measures. For this reason, auditors are increasingly focusing on IT. For a company, this means that it must implement suitable control parameters for itself and its vital processes in order to substantiate its compliance with requirements.
The Information Systems Audit and Control Association (ISACA) has published the Control Objectives for Information and Related Technology (CobiT), an internationally recognised framework for a generic audit and control model. COBIT structures information technology tasks into 34 processes and more than 300 control objectives. For companies, COBIT represents an ideal framework for implementing suitable control measures with the help of generic processes and control objectives, thereby ensuring compliance with applicable requirements.
The knack is to find suitable control parameters under consideration of cost/benefit aspects. Moreover, these control parameters must be monitored permanently. Finding suitable and target-oriented control parameters requires a lot of experience and the perspective of an auditor.
Furthermore, a suitable management and control system must be implemented in order to monitor these parameters, if possible in automated form. The need for automated monitoring dictates the deployment of an appropriate tool.
It is obvious that the interaction of organisational, process-oriented, and technical aspects is required in order to meet compliance requirements. This can be achieved effectively with an Information Security Management System (ISMS).
ISMS – fundament for systematic security and risk management
ISMS (Information Security Management System) is a system of processes and rules of a company that serves the ongoing management and control of information security. The targeted security goals are confidentiality, integrity, and availability of information. It is basically a risk-oriented approach that focuses on the risks that a company's value chain is exposed to.
ISO/IEC 27001:2005 is an internationally acknowledged security and risk management standard that defines the principles for the implementation, operation, monitoring, maintenance and improvement of a documented Information Security Management System (ISMS). The definition takes place under consideration of non-technical (organisational, HR-related) as well as technical and physical risks (overall business risks) within the entire company organisation. These risks are often also referred to as operational risks, e.g. in Basel II.
The establishment of an ISMS according to ISO/IEC 27001:2005 and the implementation within the scope of the PDCA cycle form the core of the risk management.
Our services - your gain
- We examine your value chain and identify suitable control and measurement indicators to implement compliance requirements.
- We establish an ISMS on the basis of ISO/IEC 27001:2005 in your company.
- We establish a risk management system in your company.
- We automate the creation of compliance reports such as those required by SOX or PCI DSS.
- We coach you in the audit and certification of your ISMS.
Please do not hesitate to approach our experienced, certified lead auditors. Learn about our compliance automation solutions for you.