In this article, we look at the organization in the context of information security management. As with all management systems that apply the PDCA (Plan-Do-Control-Act) cycle in any way, it takes people to embark on the journey.
The possibilities for organization are manifold
If you look at the different standards, there is a great deal of scope for mapping the topic in the organization:
- ISO 27001:2024 requires a clear organization, but leaves the design up to the company
- ISO 27779:2016, which has been specially adapted for the healthcare sector, requires at least one person who is professionally qualified or has received appropriate training from the company management
- In basic protection (2023, module ISMS.1.A4) and the B3S standard (ANF-MN 8), the appointment of an information security officer is a MANDATORY requirement
- The American NIST-SP800 standards also specify the appointment of an Information Security Officer (NIST SP800-53r5 Control PM-2)
- The various standards also call for various staff and responsible persons, albeit mainly as target specifications
Different focuses of the various standards
While COBIT places particular emphasis on anchoring in the organization and alignment with the corporate strategy, basic protection focuses strongly and in detail on the technical infrastructure.
These degrees of freedom are understandable, as a laboratory with 50 employees does not have the economic and organizational resources of a university hospital with 18,000 employees or a multinational company within the scope of various laws. The organization of information security management must be able to adapt to the company and its objectives.
So, what do you need?
- In any case, you need an information security officer in the hospital , this results from the B3S standard, or better §391 para. 4 SGB V. The ISB can be employed internally or contracted externally, but must be professionally qualified and be provided with the time and resources for their work by the company. In other healthcare companies, it depends on whether there is an industry standard and whether the company is above or below the KRITIS threshold. In principle, it is always advisable to consider appointing an ISB.
- As an interface to the organization, it is a good idea to form a team that deals with the topic of information security. This should be made up of members of the relevant professional groups. The data protection officer should also be involved.
- In small organizations in particular, you can consider assigning the task to existing staff or teams or combining tasks, for example a crisis team and an information security team.
As you can see, there is a lot of room for manoeuvre in the organization of information security as long as you are not a KRITIS company. But it has to be done, so give those responsible the space to do so.
The next posts will focus on the content work and we’re going full risk!
Click here for the article “Information inventory and risk management”, part 3 of our blog series.
Cyber risk check – a new service from Oberender AG
Do you want to know where you stand in terms of information security right now? Great – then let’s do the cyber risk check together. You can find more information here.