This document summarizes several information management system standards including ISO 9001, ISO 27001, ISO 20000-1, and ISO 22301. It provides an overview of the benefits of certification, including improved quality, risk management, and gaining customer trust. It also describes the focus and key requirements of each standard, and recommends which ones would be most suitable for different company sizes and industries depending on their needs around quality management, information security, IT service management, and business continuity.
2. ContentsContents
Benefit of information management systems
Significance of certification
Overview of the central information management systems
ISO 9001 Quality Management focusing on IT
ISO 27001 Information Security Management System (ISMS) ISO 27001 Information Security Management System (ISMS)
ISO 20000-1 Service Management System (SMS)
ISO 22301 Business Continuity Management System (BCM)ISO 22301 Business Continuity Management System (BCM)
Decision-making aid: What standard is the right one for your company?
Arguments for certification by TÜV NORD CERT
What happens when you come to us
Further information
27/05/2015Iris Maaß 2015 2
3. Benefits of information management systemsBenefits of information management systems
Quality and finances are managed, as are the company's important
resources such as personnel, required material
Similarly data security, risks and operational continuity must be
managed as a major company resourcemanaged as a major company resource.
Data risks increase in proportion to the relocation of business onto
the internet via online shops and to the extent external service
providers are used (Cloud Computing, Outsourcing)
Half of all hacking attacks worldwide are aimed at companies with
a maximum of 2500 employees (not only large corporations area maximum of 2500 employees (not only large corporations are
affected) [Symantec study]
Anyone offering IT services externally (B2B or B2C) must ensure
there is trust in his services
27/05/2015Iris Maaß 2015 3
4. Significance of certificationSignificance of certification
Any audit conducted by a neutral, independent organisation on
your management system ensures the confidence of the market
O hi hl lifi d dit hi hli ht b th l f b t Our highly qualified auditors highlight both examples of best
practice in your system and weak points, thus helping you to
improve
The decision to obtain certification signalises in the company that
i l t ti f th t t i j timplementation of the management system is a major concern to
you
When the date is set for certification this will mobilise the
necessary forces to implement the management system
l t l d h d l ( i i i t )completely and on schedule (overcoming inner resistance)
27/05/2015Iris Maaß 2015 4
5. Overview of the possible standards relating to ITOverview of the possible standards relating to IT
Focus ISO 9001 ISO 27001 ISO 20000-1 ISO 22301
Management
system
Yes Yes Yes Yes
Accredited Yes Yes Yes YesAccredited Yes Yes Yes Yes
Manual, CIP,
goals
Yes Yes Yes Yes
Statement to
the outside
Quality Data security IT service
quality
Business
continuity
Customer General Security Service level RiskCustomer
requirement
General Security Service level
agreements
Risk
management
Regulatory
requirements/
Yes Yes - -
requirements/
data
protection
27/05/2015Iris Maaß 2015 5
6. Overview of information management systemsOverview of information management systems
ISO 9001 certifies the fundamental structure of a management
system based on customer orientation
Certification to ISO 27001, 20000-1 and ISO 22301 represent
specialisations with different points of focusspecialisations with different points of focus.
ISO 27001: Security of information including qualitative,
operational, business continuity and IT service-related
requirements; special consideration of risk management
Is the important foundation for the IT architecture
ISO 20000-1 is the pure view of the IT services as a service ISO 20000-1 is the pure view of the IT services as a service
process
ISO 22301 focuses on the continuous business sequence and
manages the critical business processes; the risks of operational
interruptions are identified, examined and evaluated
27/05/2015Iris Maaß 2015 6
7. ISO 27001 Information Security ManagementISO 27001 Information Security Management
An Information Security Management SystemAn Information Security Management System
(ISMS) is that part of the whole management
system which covers the following on the basis of a
business risk approach:business risk approach:
the development,
implementation,implementation,
conduct,
surveillance,
review,
maintenance
and improvement of the information
security
27/05/2015Iris Maaß 2015 7
8. ISO 27001 Information Security Management SystemISO 27001 Information Security Management System
Good information is a major value added factor in the company
Confidentiality, availability and integrity should be the basis for the
evaluation of information
I f ti i t ( i l ) Information is an asset (a precious value)
An ISMS (Information Security Management System) counteracts
risks and guarantees information securityg y
Alongside adverse influences, statutory, regulatory and contractual
provisions are taken into account in the ISMS
Certification is appropriate for all organisations and companies for
whom IT and Data possess a special value
Certification can also proceed in combination with ISO 9001 ISO Certification can also proceed in combination with ISO 9001, ISO
20000-1 and/or ISO 22301
27/05/2015Iris Maaß 2015 8
9. ISO 27001 Information Security Management SystemISO 27001 Information Security Management System
Benefits of certification according to ISO 27001:
Reveals weak points in the handling of information
Sensitises employees and enhances risk awareness
Minimises risks
Creates confidence in the organisation, among customers,
partners and investorspartners and investors
27/05/2015Iris Maaß 2015 9
10. ISO 27001 native and BSI basic protectionISO 27001 native and BSI basic protection
IT security can be considered from 2 angles:
Accredited certification according
to ISO 27001 (ISO 27001 native)
Approach of the Federal Office for
Information Security (BSI basic
protection)protection)
Management-based view (top down),
business-oriented approach
Component-based view (bottom up),
approach specific to the authority
Procedures to guarantee the ISMS are
detemined by the organisation itself,
evaluation according to risk methodology
Formal procedure according to BSI 100-
2: Introduction of all requirements
according to BSI basic protection manualevaluation according to risk methodology
of the organisation
according to BSI basic protection manual
(rigid check list)
Certification by accredited certification
body TÜV NORD CERT, certificate
Audit by recognised and licensed auditor
at TÜV NORD CERT; certificate issuedbody TÜV NORD CERT, certificate
issued by TÜV NORD CERT
at TÜV NORD CERT; certificate issued
by BSI
Recognised worldwide Recognised in Germany
27/05/2015Iris Maaß 2015 10
11. ISO 27001 native and BSI basic protectionISO 27001 native and BSI basic protection
Both approaches have their justification
We recommend ISO 27001 native because it can be tailored to
your needs in your company and the certificate is also recognised
in international business transactionsin international business transactions
The ISMS Auditors at TÜV NORD CERT are licensed for both and
can offer you both audits or a combination of the two
27/05/2015Iris Maaß 2015 11
12. ISO 20000-1 Service Management SystemISO 20000-1 Service Management System
Internationally recognised standard defines the requirements for a
professional IT Service Management System
80% of the IT budget is connected directly with the service
processes high cost relevance of efficient processesprocesses high cost relevance of efficient processes
Enables organisations to measure objectively their capability to
render services and making it comparable (benchmarking)
Orientation of IT Services (in-house or external) towards the needs
of customers or the requirements of the core business
R d ti f ti i k d li ith t t l Reduction of operative risks and compliance with contractual
assurances (Service Level Agreements)
Integration of the process-based approach of the ISO systems withIntegration of the process based approach of the ISO systems with
PDCA cycle and continuous improvement with the requirements for
IT service processes
27/05/2015Iris Maaß 2015 12
13. ISO 20000-1 Service Management SystemISO 20000-1 Service Management System
ISO 20000 helps assure high service quality in terms of cost
efficiency and risk consideration
ProcessProcess
efficiency
Coverage
of risks
Cost
efficiency
Beste
iservice
quality
27/05/2015Iris Maaß 2015 13
14. ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
Formerly BS 25999-2
This concerns maintenance of business operations despite serious
impairment (power failure, pandemic, political events)
Ri k i d l d t h h l ti Risk scenarios are developed to show how regular operation can
be resumed in the shortest possible time after a break due to
disruption
Reduction of damage, threats
Certification offers independent, qualified statement on efficiency
d d f th ti l d t ti fand soundness of the contingency plans and restoration of
business operations
In addition information can be found in a Code of PracticeIn addition information can be found in a Code of Practice
according to BS 25999-1
27/05/2015Iris Maaß 2015 14
15. ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
Certification recommended for larger SMEs and large enterprises
Important in particular where there is greater global networking of
partners, suppliers and in the case of hived-off sub-processes
C tifi ti fi th i t f t f iti l Certifications confirms the existence of a system for critical
business processes in order to continue the system in exceptional
cases
Certainty concerning the validity of a company's own risk
management
P iti i li bl b i t b tifi ti t th Positioning as reliable business partner by certification to the
outside world
27/05/2015Iris Maaß 2015 15
16. What standard is the right one for your company?What standard is the right one for your company?
ISO 9001 Focus on customer orientation and management system in
general
Introduction to the subject of management systems
ISO 27001 For all companies where data handling plays a role
Service providers, IT companies, banks + insurance
i t di i bli i tit ticompanies, trading companies, public institutions
ISO 20000-1 IT service providers, service centres within organisations
ISO 22301 SME l i f kf f 2000ISO 22301 SMEs or large companies from workforce of 2000 up,
public utilities (power plants), all organisations where
continuous business operations are of vital importance
27/05/2015Iris Maaß 2015 16
17. Reasons for accredited certificationReasons for accredited certification
Numerous voluntary quality marks flood the market
Their scope is normally restricted to the German market
Voluntary quality marks are normally only based on house
t d d ( dit dstandards (no accredited
surveillance)
Benefits of international standards from this presentation:p
Worldwide recognition (International Standardization Organisation)
Certifier TÜV NORD CERT is accredited
Surveillance of certification by the accreditation body (DAkkS;
German accreditation body which conducts the statutory
surveillance for Germany)surveillance for Germany)
Internationally certification is subject to surveillance by
accreditation bodies in Europe and worldwide acc. to same rules in
every country certification acc. to ISO standards is sounder
27/05/2015Iris Maaß 2015 17
18. What happens when you come to usWhat happens when you come to us
1. Provisional offer by our Sales Department
2. If offer is accepted
3. A suitable suitor is assigned
4. You receive a written confirmation
5. Auditor contacts you to discuss a time frame for the certification,
clarification of open questionsclarification of open questions
6. Despatch of an audit schedule approx. 4 weeks prior to audit date
7. Stage 1 For first certification establishment of certifiability of yourg y y
organisation with report
8. Stage 2 Audit in your company with report
9. Certification decision in the certification body
10. Issuance of a certification if result of audit is positive
27/05/2015Iris Maaß 2015 18
19. Training course at TÜV NORD Akademie for
information managementinformation management
Chief Information Security Officer -CISO (TÜV)–examination
Chi f I f ti S it Offi CISO (TÜV) Chief Information Security Officer-CISO (TÜV)
Information Security Management
Information Security Officer ISO (TÜV) examination Information Security Officer ISO (TÜV)-examination
Information Security Officer-ISO (TÜV)
IT Basic Protection Expert (TÜV)IT Basic Protection Expert (TÜV)
IT Basic Protection Expert (TÜV) examination - IT law compact
Contact:
TÜV NORD Akademie
email: akademie@tuev-nord.de
Tel.: 0800 8888020 (toll-free service number in Germany)
27/05/2015Iris Maaß 2015 19