Rudolf Ehrensberger, ISB of administrative community (VG) Neumarkt, in conversation with Dr Matthias Kampmann from IT Security Cluster about the upgrade from ISIS12V2 to CISIS12® (ISIS12V3).
IT-SEC: How did your work with and in ISIS12 come about? How long have you been using the ISMS?
Rudolf Ehrensberger: I was commissioned by my employer, administrative community Neumarkt i. d. OPf., to introduce an information security management system (ISMS). The step into an ISMS based on ISO/IEC 27001 or on the basic protection of the BSI was too big from my point of view. So the decision was made to go with ISIS12. This was in December 2018. Our cooperation with Frank Moses from Fa. SlyCon began in February 2020, and we successfully completed the DQS certification with him in June 2020. The cooperation was a stroke of luck for the municipality because it gave us the chance to form one of the pilot projects with the third version of ISIS12. Frank Moses is not only a consultant, but also one of the lead developers of CISIS12®.
IT-SEC: So the administrative community of Neumarkt i. d. OPf. is a pilot for CISIS12®, but first certified itself in ISIS12V2. What has changed with CISIS12®?
E.: The process-oriented approach in the third version is a significant improvement in the implementation and introduction as well as the expansion and extension of a comprehensible ISMS. In my opinion, CISIS12® has created the basis for meeting the digital challenges of the present and harmonising the ISMS. With CISIS12®, the signs of the times have been recognised! True to the motto „If you don’t move along the time, you’ll remain outdated“. Rudolf Ehrensberger
IT-SEC: What is getting better?
E.: The view of the work with the ISMS becomes more transparent through the process view for all those involved, whether at the management level or whether it concerns the employees. The interviews with the department heads as process owners were very effective. They talked about the activities (processes) in the department and not about critical applications. Applications per se are initially all non-critical. The importance of the application is derived from the protection needs of the business process (BP), such as the communication process that a particular application requires. And the protection level assessment for the applications is not the task of the process owner. That is, for example, the responsibility of the IT manager.
CISIS12® is a real ISMS to meet the market requirements and challenges, the expectations of our customers (citizens) and politics (OZG/digitisation). And development is a must. Technology develops, organisations change. An ISMS has to keep up with this. The adaptation and further development of the ISO standards and the BSI IT-Grundschutz are also taking place. With CISIS12®, the signs of the times have been recognised! True to the motto „If you don’t move along the time, you’ll remain outdated“.
IT-SEC: How was the switch?
E.: Simple! You adopt the technical-organisational measures from ISIS12. You evaluate the CISIS12® building blocks. You need to know which business processes are important in your company or organisation. To do this, you conduct interviews with the department heads and you carry out the protection needs assessment. The protection objects are given a level of protection. Done! Competent advice is of course very advantageous here. We in Neumarkt were therefore very happy that we were allowed to take this step so early as a pilot partner of the cluster. With the support of our competent partner, the further development of our organisation using CISIS12® was no longer a problem.
IT-SEC: What do you need from the cluster? How can we optimise our service?
E.: The fact that the IT Security Cluster organises forums, for example, now online of course, is really helpful. For example, IPMs can exchange information in a setting where companies of different sizes and municipalities or the IPMs from districts can talk about their experiences in their everyday work. The fact that the cluster is also a reliable and constant contact partner and also takes the interests of us users into account in the development of the ISMS is not always directly visible in such large projects as the introduction of an ISMS, but it is definitely a great help.