The Information Security Officer and his function in your company
What is an Information Security Officer?An Information Security Officer (short ISO) supports you with the planning, implementation, improvement and compliance of the information security. The area of responsibility essentially includes coordinating and advisory tasks, for example the development of recommendations for action, advising the company management, training employees as well as conducting internal audits. For this purpose the Information Security Officer has completed a demanding certification training course so that he can bring the following professional and personal qualities to your company:
- Expertise in the area of information security
- Experience in project management, especially in risk management
- Communication skills
- Ability to work in a team
- Analytical thinking
The tasks of an Information Security Officer
The tasks of an Information Security Officer can vary from company to company. It is important that his field of activity is aligned with your company’s information security needs and goals. Therefore, the Information Security Officer first starts with an as-is analysis. As soon as he is aware of the current state and can ensure that the interests of your company are accurately implemented the Information Security Officer will take on the following tasks:
- Building an Information Security Management System (ISMS) in accordance with recognised standards such as ISO 27001 Certification or the TISAX Certification
- Support during certification audits
- Development of a security guideline and a security policy
- Review of security incidents
- Reporting on the status of information security to the management and other responsible parties
- Conducting awareness measures for employees on information security
- Conducting training on information security
Is the appointment of an Information Security Officer mandatory?
There is no legal basis for the external Information Security Officer that requires his appointment. Companies from critical infrastructures (CRITIS), for example from medical care, energy supply, water supply and transport, are exempt from this. For them, the appointment of an Information Security Officer is mandatory. For all other companies, however, the Information Security Officer is no less necessary. On the contrary: his appointment is even recommended due to various advantages.
Advantages of an Information Security Officer
The appointment of an external Information Security Officer brings a high added value for your company.
- Certified expertise: The Information Security Officer has been through a demanding certification process. If you lack the necessary expertise in information security the Information Security Officer will make up for it with the expertise he has gained.
- Effective Implementation: The Information Security Officer is much faster in assessing which security concept is suitable for your company. He makes unbiased qualified recommendations in favour of your company’s information security and gets you to implementation faster.
- Support for corporate management: The company management remains yet informed about all processes without having to initiate and coordinate them themselves. The Information Security Officer is always subordinate to the management.
- Time, resource and cost savings: Considering that the entire security process and its subtasks are being outsourced your company is saving time and personnel resources. This in turn results in cost savings.
- Competitive advantage: Well-developed security concepts give your company a competitive advantage. Show your business partners that you meet the information security requirements in your company and get an Information Security Officer to support you in this regard.
- Fulfilment of legal requirements: For companies from critical infrastructures (CRITIS) the appointment of an Information Security Officer is required by law.
In an initial consultation we will advise you without commitment about the added value of an Information Security Officer for your company and prepare your questions for you in an understandable way. Simply get in touch with us.
Costs: what are the expected costs for an Information Security Officer?
The expected costs for an Information Security Officer depend on your needs. Although the costs can be calculated precisely in this way they can’t be stated overall in advance. Arrange a non-binding initial consultation with us now. That way we can get to know each other better and we can make you an individual offer.
Information Security Officer vs. Data Protection Officer: which is what?
From the outside the areas of responsibility of an Information Security Officer overlap with those of a Data Protection Officer. But in fact it is imperative to differentiate them: The Information Security Officer is exclusively focussed on the protection of data and information in analogue as well as digital form while the Data Protection Officer takes care of the protection of personal data.
Another difference between the Information Security Officer and the Data Protection Officer is based on § 4f of the Federal Data Protection Act. This states that all companies “which process personal data automatically must appoint a Data Protection Officer (…)”. Consequently, the data protection officer is required by law. There is no comparable legal basis for the Information Security Officer that dictates his appointment. Companies in the critical infrastructure are exempt from this.
We strongly advise you not to give both areas of responsibility to one and the same person. Apart from the immense amount of work this could lead to a conflict of interest. Fill the positions with two different people or appoint external service providers to your company.
Your contact for information security
The Information Security Officer is your contact for information security. Would you like to find out more about filling his position in line with requirements? In an initial meeting we determine the scope of your needs. Based on our experience we can then precisely assess whether and to what extent we can support your company in appointing an Information Security Officer. You can also discuss general questions about information security with us. We are looking forward to the initial meeting with you.
Case study: TISAX certification
Backless is carefree, that is the motto under which Stigler & Roos carries out successful customer events for the automotive industry. The use of modern IT systems and digital technology is a matter of course. This is also the reason why Stigler & Roos GmbH was one of the first companies in the event industry to be certified according to the TISAX standard. Memex convinced with a practical implementation concept.