Spoilt for choice
Due to increasing cybercrime, information security is becoming more and more important in companies. In order to include all company areas in protective measures, many companies decide to introduce an information security management system (ISMS).
An ISMS based on existing standards has three advantages:
You fall back on best practices and do not have to work out everything yourself.
You concentrate on the essentials and leave out the superfluous.
All important issues are taken into account, no aspect is forgotten.
All these systems are based on information security standards. They all aim to minimise project risks, increase information security and reduce administrative effort. They differ in the way they achieve this, but can also complement each other at some points.
The different models explain how an ISMS is set up and developed. It is also important to know the necessary organisational and technical steps and how to keep it up to date. In addition, test criteria are shown, according to which entrepreneurs can assess if the identified measures are appropriate.
The two most important standards in Europe are DIN EN ISO IEC 27001 and the IT-Grundschutz developed by the BSI. The American NIST standard of the National Institute of Standards and Technology (NIST) plays a subordinate role in Europe.
ITIL certification (IT Infrastructure Library) is a framework for the management of IT services. As a qualification scheme, ITIL refers to individual persons in IT service management, not to an entire company.
We have therefore focused on the first two standards in our comparison.
|ISO/IEC 27001-9||BSI Grundschutz||NIST
|Suitable as ISMS||Yes||Yes||No||No|
|Acknowledged||Internationally||in Germany||in the US||Internationally|
|Company size||All, even small companies, as adaptable||Basically all||all|
|Suitable for||All companies and protection needs, for internationally active companies||Authorities, service providers for authorities, companies with highly sensitive data, critical infrastructures||Mandatory for US authorities|
|Company-wide certification||Yes||Yes||No||Only for individuals in IT service management|
|offers||Guidelines, requirements definition
International standard, more freedom in implementation
|Specific description of measures||Standards, documentation, best practice procedures||Description of measures, best practice framework|
|additional comments||Goes beyond IT, refers to all types of information (including notes)|
What are the basic requirements for certification according to BSI Grundschutz and ISO 27001?
Anyone seeking certification must introduce a corresponding management system. This system evaluates and regularly audits the company’s processes and information security risks. It also defines measures that must be observed in the various company divisions. Last but not least, responsible persons must be appointed, all employees trained and involved in the regular implementation.
All defined measures must be documented in writing. On the one hand, the documentation serves the auditor as a basis for the audit. On the other hand, it is a working basis that is especially helpful in an emergency.
Since all steps of the emergency concept are recorded, people quickly know what needs to be done. In this way, all business processes that are necessary for the survival of a company are secured. These instructions must always be kept up to date, which should be done according to certain documentation processes. For ISO certification, documentation management must even be directed by the management.
For whom is BSI Grundschutz certification the right choice?
- trustworthy organisations that work with public authorities
- companies that handle sensitive data.
It is nationally recognised and provides concrete recommendations for action, procedures and information for analysing and minimising IT risks. It is technically oriented, so that the recommendations can often be implemented directly. This makes the ‘IT-Grundschutz’ Compendium very comprehensive. (The PDF of the 2022 edition comprises 900 pages).
Who should get DIN ISO 27001 certification?
If your company is active throughout Europe or internationally, you should be certified according to ISO 27001. This international standard is based on the business processes established in companies.
In addition, the standardised norm is kept more open and offers more scope for design than IT-Grundschutz. Therefore, it can also be adapted well to the circumstances of smaller companies. This also makes the ISO 27001 standard interesting for companies that do not handle highly sensitive data. For them, the cryptography requirements of IT-Grundschutz are usually too extensive.
BSI or ISO 27001? The best of both worlds
You are striving for ISO 27001 due to international activity? Therefore, you want to ensure optimal confidentiality of company data? Then use IT-Grundschutz as a basis for certain areas. This combination has already proven itself many times over.
xc and the standards
Both ISO 27001 and IT-Grundschutz place specific requirements on the crypto concept to be implemented:
- Appropriate cryptographic procedures must be used.
- Cryptographic keys must use appropriate algorithms and have the currently recommended length.
- Crypto products should be archived, their configuration data backed up.
- Appropriate key generation and management, including verification of origin and integrity.
- A defined procedure for the case of compromised keys.
- Increased need for protection means additional requirements.
Therefore, the following aspects, among others, must already be considered when creating a crypto concept. In the event of an audit, they should also be documented in an audit-proof manner.
1. Cryptographic guidelines
- Which information must be protected?
- When does the information need to be protected and how intensively?
- Are external authentication authorities (CAs) required to protect / sign certain information?/li>
- Processes: Who does what?
- Who is responsible for compliance with the conventions?
- How does sustainable controlling look like?
2. Key management
- Which encryption method should be used?
- Management and transparency of existing keys?
- Defined processes for handling keys, e.g. for issuing, distributing, renewing etc.?
- Who is responsible for ensuring compliance?
- What to do if keys are lost?
- Lifespan of the keys?
- Who has access to the keys, including archived keys?
The art here is to implement all specifications flawlessly at all times. Tools for managing cryptographic keys and digital certificates can make a valuable contribution to this. One of these tools is our essendi xc. It is set up carefully once and will apply the requirements reliably and automatically in the future.
essendi xc supports you in implementing your crypto policies successfully and efficiently.
xc can be configured individually. This allows you to map all desired guidelines and standards and connect the system to existing structures.
Efficient processes are defined and automated via the Process Engine.
The 360° certificate cockpit makes xc particularly convenient. It supports risk management through simple monitoring and reporting. This also turns it into a valuable auditing support.
Reliable, documented key management with essendi xc
- Key generation according to set specifications (algorithm, length, etc.)
- Key management: monitoring of lifetime and status, incl. alert function (service lifecycle).
- Certificate and key storage: in HSM and key vault
- Controlled recovery and availability of keys in case of destruction or loss
- Handling of certificates and keys: generation, renewal, transport, etc. (structured according to standard processes and fixed, in-house specifications)
- Proactive risk management
essendi xc documents all areas of crypto management that are relevant for information security. This includes, for example, the key material, certificate processes and authorisations. This makes xc an ISO-compliant tool.