Alongside the Information Security Officer (ISB), the ISO Coordinator at XFAIR is responsible for the Information Security Management System (ISMS) process in accordance with the ISO standard. The role comes with a wide range of diverse and high-responsibility tasks, with the main focus being close collaboration with and support for XFAIR’s ISB. In the interview “IT Security at XFAIR” on the XFAIR blog, you can learn more about these responsibilities and why ISO certification is so important for companies in the IT sector.
But what does ISO actually mean?
ISO 27001—officially ISO/IEC 27001—is a globally recognised standard for managing information security and defines the requirements for an ISMS.
Operating and maintaining this information security management system, as well as updating and continuously improving it in line with the PDCA cycle, is one of the core responsibilities of an ISO Coordinator. The PDCA cycle describes a process-based approach and the recurring workflow “Plan-Do-Check-Act”. This cycle ensures the ISMS is continuously adjusted and improved to meet constantly evolving security requirements.
As part of this work, policies, requirements and processes for increasing information security are reviewed on a regular basis—depending on their validity—to ensure they are up to date, and are adjusted where necessary in coordination with the ISB. Naturally, this also requires monitoring and assessing the implementation of ISMS requirements and documentation. Documentation includes written instructions, procedures, plans, policies and other information required to control, organise and monitor processes. Within the documentation history, the reason for changes and the change date are always recorded to ensure consistent auditability.
Of course, this cannot be done without the continuous development of information security risk management based on the GDPR principles of confidentiality, integrity and availability. This means that company assets—such as employees, hardware or services offered—are subjected to a risk analysis in relation to these values to assess whether a risk is acceptable or must be minimised through suitable measures.
The results of the risk analysis are documented accordingly and the necessary measures are implemented. These measures always include regular staff training, which must be created, planned and documented after delivery. This ensures a general awareness among employees when it comes to information security.
Another area of responsibility for the ISO Coordinator is preparing and coordinating internal ISMS audits as well as external ISO certification audits. ISO certification is valid for three years: in the first and second year, a surveillance audit is conducted; in the third year, a re-certification takes place, during which the audit scope is comparable to the initial certification audit.
Last but not least, the ISO Coordinator reviews and assesses the current threat landscape based on the latest security advisories from the warning and information service of Germany’s Federal Office for Information Security (BSI). These are accessed via the BSI website and can be assessed using the CVSS score. CVSS stands for Common Vulnerability Scoring System and is a standard for rating the severity of potential or actual security vulnerabilities in computer systems.
The next certification audit will take place in mid-2025 under the new ISO 27001:2022 version. The focus here is on process orientation as well as additions and restructuring of requirements to reflect today’s cyber security landscape. This changeover is expected to require significant additional effort in advance. However, that effort is necessary in order to maintain a high level of information security.
