Data Protection and IT Security

• IT Emergency Manager (BCM) according to ISO 22301, ISO 27031 and BSI IT Basic Protection
• IT Risk Manager according to ISO 31000, ISO 27005 and BSI IT Basic Protection
• ISO/SAE 21434 (Cybersecurity Engineering)
• BSI IT Basic Protection Practitioner
• BSI IT-Grundschutzberater
• ITiBe/ Ciso according to ISO/IEC 27001/27002 and BSI IT-Grundschutz
• Information security advisers
• ISO/IEC 27001 Lead Implementer
• ISO/IEC 27001 Lead Auditor
• Additional testing procedures Competence §8 (3) BSIG IT security audits at KRITIS operators
• COBIT ® 5 Foundation
• Ethical Hacking Foundation
• ITIL ® Foundation Certificate
• Full Scope Social Engineering and Physical Security
• Foundation Examination TISAX ®Assessment
• Professional Examination TISAX ®Assessment
• Specialist for data protection DEKRA
• Economic lawyers
• ISO/SAE 21434 (Cybersecurity Engineering)

An Information Security Officer (ISO) is a person in an enterprise who is responsible for ensuring information security. The role of ISB is to develop and enforce security policies and procedures that ensure the confidentiality, integrity and availability of corporate data. The ISB works closely with other departments in the company. It regularly monitors the security of the company and assesses potential security risks. He or she develops security strategies and ensures that the company complies with all relevant security standards and laws. Overall, the ISB plays an important role in ensuring the information security of a company by ensuring that all systems and data are secure and that the company is prepared for potential security threats. Please contact us if you are looking for an external ISB.

An Information Security Management System (ISMS) is a framework that helps companies and organisations identify, assess and manage information security risks. It is a process-oriented approach to managing information to ensure its confidentiality, integrity and availability, thereby increasing information security. An ISMS defines a systematic approach to the management of information security, consists of a set of policies, procedures, processes and systems, and is usually based on an international standard, such as ISO/IEC 27001, which defines the requirements for an ISMS.

External support accelerates the development of an ISMS, as external experts have specialized knowledge and experience, share best practices and help identify risks. This increases effectiveness and the focus on the most important risks. External support can also overcome resistance and increase the likelihood of success.

ISO 27001 is an international standard for information security, while the basic IT protection was developed by BSI specifically for German organizations. The focus of IT basic security is on security measures for IT systems, while ISO 27001 takes a broader approach to information security. ISO 27001 is based on the PDCA process model, while IT basic protection uses a phased model. Companies can achieve ISO 27001 through formal certification, while IT basic protection is merely a recommendation. Basic IT security is particularly suitable for small and medium-sized enterprises and public authorities, while ISO 27001 is suitable for organisations of all sizes that want to improve their information security.

The external data protection officer assumes all the duties of an internal data protection officer in his or her capacity as data protection officer. This includes the implementation, coordination and control of data protection measures in the company. In addition, he is the contact person for data protection issues for customers, suppliers as well as internal departments and management.

If at least 20 employees are permanently engaged in the automated processing of personal data, a data protection officer is required. Furthermore, a company needs a data protection officer if he or she carries out regular and systematic processing of sensitive personal data. The data protection officer may be appointed internally or externally. Should this position not be filled competently and reliably in the company, e.g. due to resource constraints or lack of knowledge, it is advisable to appoint an external data protection officer. In practice, the view from the outside can bring greater added value.

The General Data Protection Regulation (GDPR) is important because it protects the personal data of EU citizens and forces companies to take data protection seriously. The GDPR ensures that individuals are informed about the processing of their data and are given control over their data. Companies must ensure that they use the data only for the stated purpose and that appropriate safeguards are in place to protect the data. In the event of breaches, there is a risk of heavy penalties, which are intended to encourage companies to take data protection seriously and to respect the rights of individuals. Overall, the GDPR contributes to strengthening public confidence in the handling of their data and to creating a uniform data protection standard across the EU.

As a company, you must observe Privacy by Design and by Default to ensure that data protection requirements are already taken into account in the development of products and services. Privacy by Design means that data protection is built into the development from the outset, while Privacy by Default ensures that by default only as much personal data is collected as is necessary for the stated purpose. By respecting Privacy by Design and by Default as a business, you can ensure that your products and services meet data protection requirements and strengthen customer confidence in your business. By considering data protection requirements in development, it is also possible to avoid costly corrections and adjustments that may occur later when data protection issues are discovered. In addition, compliance with Privacy by Design and by Default can help to avoid violations of the GDPR and other data protection laws and avoid sensitive penalties. Overall, adherence to Privacy by Design and by Default is an important step for any company that takes data protection seriously and wants to make sure it acts in accordance with applicable data protection regulations.