INFORMATION SECURITY MANAGEMENT (ISMS)
Efficient management of information security
Aligned with the processes of highly regulated industries, the DHC VISION solution enables traceable governance and control of all regulatory documentation. Controlled end-to-end processes, interactive business intelligence and data analytics functions in combination with an appealing design ensure “Efficient Compliance”.
Insidious attacks on IT infrastructures are no longer a rarity. Trojans, viruses, and worms cause enormous damage. They endanger the security of organizations of all kinds. Anyone who fails to protect themselves comprehensively through technical and organizational measures will inevitably fall victim to a cyber-attack in the short or medium term. Data theft or destruction, digital blackmail or the spread of malware are just a few examples of possible consequences.
How information security can be established is regulated by ISO standards or the specifications of the German Federal Office for Information Security (BSI). They provide the basis for an information security management system (ISMS). The reliable framework for documentation and the basis for controlling such a system is guaranteed by the ISMS of DHC Business Solutions. It is also the digital solution for the special requirements of critical infrastructure protection (CRITIS) and industry-specific security standards (B3S). The ISMS follows the PDCA model; individual phases for planning, implementation, review, and continuous improvement of activities are formalized: The IT infrastructure is comprehensively documented, risks and the respective current security level are analyzed, and processes for transparent follow-up of measures are established.
Request factsheet
Compact information on all processes related to controlled documents and the complete range of functions are available in the factsheet on DHC VISION SOP Management.
"*" indicates required fields
Impressive functionality
Asset management / value emanagement
- Inventory of any assets (values) incl. groupings and hierarchization
- Definition of responsibilities and additional detailed information
- Establishment of references to existing threats and vulnerabilities
- Identification and assignment of information security risks
- Support of a comprehensive protection needs analysis
- Extensibility by customer-specific and industry-specific protection goals
- Flexible interfaces for importing and updating asset structures
Risk management
- Recording and comprehensive documentation of all information security risks
- Multidimensional risk assessment (probability of occurrence, extent of damage)
- Establishing relationships between risks, threats and vulnerabilities
- Definition of risk management strategy (avoid, mitigate, etc. risks)
- Definition and assignment of adequate measures for managing risk
- Consideration of risks before and after the implementation of risk-reducing measures
- Issuance of statements on the acceptance of residual risks.
- Clear dashboards for monitoring the risk management progress
Measures management and incident handling
- Process support for the implementation of information security measures
- Definition of cyclically recurring measures
- Reminder of deadlines regarding measures incl. escalation mechanisms
- Sustainable and audit-proof documentation of implementation results
- Fast and easy recording of security incidents via web forms
- Definition of responsibilities and processors for fast and efficient handling of security incidents
- Definition of immediate, corrective and preventive actions
- Dashboard for monitoring management status and progress
Insight into our costumer relations
“When deciding to implement an ISMS, DHC’s coherent overall package was decisive for us, namely the fast project implementation and the short ‘time to market’, combined with an optimal connectivity of the ISMS to upstream and downstream management systems. In particular, DHC VISION’s dashboards with real-time data on assets, risks and potential damage, the status of policies and key KPIs are extremely valuable. This has also emphatically convinced the management. In short, we made the right decision.”
Mats Conrad
Joh. Meier Werkzeugbau GmbH
All options at a glance
Asset management
- Inventory of assets (values) incl. groupings and hierarchization
- Definition of responsibilities and additional detailed information
- Establishment of references to existing threats, vulnerabilities, and resulting risks
- Support for protection needs analyses covering higher-level or lower-level assets
- Consideration of all basic and industry-specific protection goals (“availability”, “integrity”, “confidentiality”, “authenticity”, “patient safety”, “treatment effectiveness”, etc.)
- Flexible extensibility to include customer-specific asse properties
Risk management
- Recording and comprehensive documentation of all information security risks (responsibilities, risk description, effects if risk occurs, etc.)
- Evaluation of risks via the dimensions “probability of occurrence” and “extent of damage” (qualitative or quantitative)
- References to the threats and vulnerabilities as sources for risks
- Definition of the risk management strategy (avoidance, mitigation, etc.) and of adequate measures
- Individual assessment of risks before and after the implementation of risk-reducing measures (gross/net consideration)
- Submission of statements on the acceptance of residual risks
- Clear dashboards and evaluations for efficient risk monitoring
Measure / Action management
- Complete process support, from recording, implementation and effectiveness testing to the formal closure of measures
- Classification of measures
- Preventive measures for proactive risk reduction
- Immediate and corrective measures for handling security incidents
- Definition of cyclically recurring measures incl. automatic start of measures (weekly, monthly, annually)
- Reminder of deadlines for measures, incl. escalation mechanisms
- Sustainable and audit-proof documentation of implementation results
- Role-specific dashboards for monitoring status, priority, and implementation progress of measures
Standards / Laws / Industry-specific requirements
- Setup or import of standards and legal requirements (ISO/IEC 27001, 27002, 27005, 27019, 22301, EU DSGVO, etc.)
- Mapping of CRITIS requirements or other industry-specific standards (IT-SiG, B3S-Medical Care, VDA ISA (TISAX), etc.)
- Integration of the new BSI basic protection compendium with the specific threat catalogues and recommended measures
- Linking of the guidelines and planned/implemented measures to standards or the specific target assignments
- Dashboards and evaluations for monitoring the degree of normative compliance
Events, notifications, communication
- Notification Event Modeling Framework for automated, accurate and timely notification of people, roles/groups or systems about the status value of definable events such as date, threshold, metric, new document versions.
- Flexible and appealing design of notifications (including HTML); also multilingual, to different recipient systems (email, social media, mobile gadgets etc.
- Rules and communication by creating messages along role-based interests and views (user view, organizational view, compliance view).
- All notifications are subject to an audit trail
- Full traceability of who was informed about what, when, with what content
Document management
- Template-based creation and storage of all topic-specific documents directly within DHC VISION
- Provision of pre-filled document templates for information security management and related topics (data protection, continuity management)
- Definition and maintenance of meta data (responsible parties, authors, reviewers, releasers, confidentiality level, scope, validity period, etc.)
- Review and release workflows, incl. electronic signature
- Target group-specific publication of documents with differentiated access control
- Versioning and audit-proof storage of documents
- Monitoring of validity periods, incl. automatic resubmission
- Workflows for validity extension, invalidation, and archiving
- Context-sensitive full-text search with comprehensive filtering options
Incident Management
- Fast and easy recording of security incidents via web forms
- Assignment of affected assets or asset groups
- Definition of responsibilities and agents for fast and efficient handling of security incidents
- Classification of criticality, priority and definition of deadlines with regard to handling security incidents and related measures
- Definition of immediate, corrective, and preventive actions
- Comprehensive dashboard for monitoring status and treatment progress
Data protection (EU GDPR)
- Audit-proof creation, review, and release of all data protection-specific documents and forms
- Register of processing activities resp. management of data processing contracts
- Recording of data protection-relevant aspects (relevance, type of processing, categories of data subjects, recipient groups, etc.)
- Protection needs analysis and risk assessment from a data protection perspective
- Recording and control of all measures to ensure data protection
- Support for reporting and handling data protection incidents
Continuity management (BCM/BIA)
- Execution of Business Impact Analyses (BIA) incl. documentation of results
- Assessment of risks resulting from the BIA and definition of measures
- Management of all relevant BCM/BIA documents (emergency plans, operating manuals, restart plans)
- Control of cyclical emergency and restart tests for critical processes and assets
Validation and compliance consistently in view
DHC VISION is specially designed for use in highly regulated industries. The solution meets GxP guidelines and directives of the FDA, EMA, PIC/S or ICH, as well as 21 CFR Part 11, for both technology and business processes. The “Validation Package” consists of “Validation Accelerators” (complete documentation set for validation) and Validation Services for adapting the documentation to a specific system configuration.
Matching products
TRAINING
The perfect and seamlessly integrable addition to SOP management. Digital processes set new standards in “Training Compliance”.
AUDIT
Indispensable for an integrated management system. An entirely digital and user-friendly audit process. The ideal addition to the other quality modules.
Your information package
Get an impression of this and other products or read what insights we have gained from research and development. Take advantage of our exclusive content such as white papers or study results on the digitization of quality and compliance processes. Put together your desired media easily and conveniently.
Worth knowing | News | Latest
ISMS software secures the energy supply
Kommunale Eisenberger Energiepartner GmbH, or KEEP for short, is an association of the electricity supply companies of the Eisenberg...
FAQ
What is an ISMS?
ISMS stands for Information Security Management System. An ISMS defines methods and rules to ensure information security in an organization or company. Based on the actual threat situation, it identifies risks in relation to assets. Assets are not only IT components, but also the building infrastructure, business processes, employees, intellectual property, and other data worth protecting. Suitable technical and organizational measures are intended to reduce risks with regard to the likeliness of their occurrence and the expected extent of damage. This is a continuous monitoring and follow-up process.
What is the goal of an ISMS?
The goal of an ISMS, essentially, is to continuously improve the information security of an organization.
Concrete goals are:
– Creation of an overall awareness for information security in the organization
– Identification of assets to be protected
– Identification and assessment of information security risks
– Definition and implementation of suitable protective measures
– Establishment of processes for continuous improvement of information security.
Do I need an ISMS?
So far, only companies that are part of what is called Critical Infrastructure (CRITIS) are required to implement an Information Security Management System (ISMS). This holds, for example, for companies in sectors such as energy and water supply, transport and traffic, medical care, government administration – i.e., companies and organizations that ensure the supply of such services and other indispensable goods. In times of constantly growing threats from cybercrime, hacker attacks and data theft, however, all companies and organizations are advised to deal with information security. Through a structured approach to introducing an ISMS, security gaps can be identified and closed through appropriate measures. In many B2B business relationships, business partners are expected to have a functioning ISMS in place.