Information Security
Our aim is to ensure security and resilience in an increasingly tense environment.
Our aim
We specialize in shaping change processes to make organizations fit for the future. In this context, the topic of information security is of crucial importance, as many organizations work with personal and confidential data and have digitized their business models and processes. This digitalization brings with it new dependencies and vulnerabilities that we want to address.
Our solutions are characterized by two core elements. Firstly, we follow a clear system to ensure that information security is implemented effectively. Secondly, we attach great importance to ensuring that our solutions are accessible to the people in the organization in order to ensure their acceptance and commitment.
Our work is based on the following aspects:
We bring extensive experience from the ongoing development of our own information security management system (ISMS). This enables us to incorporate best practices and the latest findings into our work.
We design an ISMS that is precisely tailored to the size of the company, industry and protection requirements. This ensures effectiveness and acceptance.
We bring extensive change expertise to the table. This is helpful because implementing a higher level of information security often requires a change process.
We integrate the perspectives of legal security, day-to-day usability and organizational culture influence into our work to create a comprehensive and balanced solution.
Our extensive experience as a service provider for employee surveys and management feedback projects has shown us how sensitive the handling of data can be. We are therefore particularly sensitized to the protection and security of data in our projects.
Our goal
Our goal is to help organizations keep their data secure and resilient while promoting a culture of information security throughout the organization. This enables them to successfully meet the challenges of a digital and networked world.
Our packages
We take on the role of an external data protection officer or an external information security officer. Your advantage is that you do not have to build up the necessary expertise yourself. And still have a professional solution.
The focus is on checks and the absolutely necessary implementation of immediate measures. The aim is to meet legal requirements on the one hand. And secondly, to reduce the vulnerability of your organization. We align our support in such a way that the establishment of an ISMS (information security management system) is possible in the long term.
The aim of this form of support is a management system. The path to this can be a far-reaching change process. This naturally affects the IT infrastructure and processes. It also often requires a cultural change. This is because habits and behavioral patterns need to change. This is where we contribute our expertise in the design of change processes.
What we bring to the table
As organizational consultants, we work with personal data or confidential information in virtually all of our topics. We have always done a lot for data protection and information security, however at some point around 2015, this became too unsystematic for us. We then decided to set up an ISMS, i.e. an information security management system.
We experienced a lot in the process.
First, joy at progress.
Second, frustration at setbacks, errors and dead ends.
Third, doubts time and again.
We then felt our way forward. By trying things out, evaluating and readjusting.
In 2019, we were one of the first SMEs in Germany to achieve certification in accordance with the ISIS12 standard. We bring this instructive self-awareness and several certifications as consultants for data protection and information security to our projects.
Is there a definition of information security?
Information security refers to a state in which the risks to the security objectives of confidentiality, integrity and availability of data and IT systems are reduced to an acceptable level through appropriate measures. In addition to the security of IT systems and the data stored in them, information security also includes the security of data and information that is not processed and stored electronically.
The goal of availability of IT systems is of particular importance here. This includes all precautions and measures to ensure the continuation of day-to-day work even in crises and emergencies.
How can we ensure information security in the future?
In the course of digitalization, precautions need to be taken with regard to information security and data protection. And to a much greater extent than before. The regulatory framework and therefore also legal liability regulations have now reached a new level. Some organizations are finding this difficult. In our view, this is hardly surprising, as there is a lack of practical guidance and role models. On the other hand, there is no shortage of warning fingers. We would advise against raising an organization to a "high" level of information security in one go. This would completely ignore the hurdles and effort involved and thus lead to an overstretching of resources. The consequences would include burnt-out and frustrated employees. We recommend a step-by-step approach with an expandable foundation and a continuous improvement cycle.
What does process management have to do with all this?
Many organizations (i.e. companies, public authorities and NGOs) are still largely functionally oriented. This manifests itself in organizational charts, organizational instructions, job descriptions and much more. In contrast, the focus on processes is often only rudimentary. Even important processes are often insufficiently clarified or limited to one team or department. The consequences then become visible at interfaces. These are extremely unfavorable conditions for information security.
How can we get all employees on board?
A participative approach is generally recommended. It is extremely important to make all employees aware of the risks associated with information security and data protection. And this must be done with comprehensible examples from everyday working life. Transparency is also needed regarding objectives, analysis results, procedures and measures. This creates trust and orientation for everyone. Involving those affected in analyses and solution work promotes acceptance and integrates the field expertise of employees.