In the course of this, the guidelines, specifications and processes for increasing information security are regularly reviewed to ensure they are up to date and, if necessary, adapted in consultation with the ISB. For this purpose, the implementation of ISMS requirements and documentation must of course also be monitored and assessed. The documentation includes written instructions, procedures, plans, guidelines and other information necessary for the control, organization and monitoring of processes. The reason and date of changes are always recorded in the history of the documentation in order to ensure consistent audit compliance.
Of course, it is not possible without continuous further development of information security risk management in accordance with the GDPR principles of confidentiality, integrity and availability. This means that company assets, i.e. employees, hardware or services offered, are subjected to a risk analysis with regard to these values in order to assess whether a risk is acceptable or needs to be minimized through suitable measures.
Another area of responsibility of the ISO coordinator is the preparation and coordination of internal ISMS audits and external ISO certification audits. ISO certification is valid for three years: a surveillance audit is carried out in the first and second year, followed by recertification in the third year, in which the scope of the audit is the same as in the first audit.
Last but not least, the ISO coordinator reviews and assesses the current threat situation based on the latest security information from the Warning and Information Service of the Federal Office for Information Security (BSI). These are available on the BSI website and can be assessed using the CVSS score. CVSS stands for Common Vulnerability Scoring System and is a standard for assessing the severity of potential or actual security vulnerabilities in computer systems.
The next certification audit will be carried out in mid-2025 in accordance with the new version ISO 27001:2022. The focus here is on process orientation, as well as additions and restructuring of requirements in order to meet current cyber security requirements. Considerable additional work is to be expected in the run-up to the changeover. However, this additional effort is necessary in order to maintain a high level of information security.