When they are needed
When nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons also require implementation of appropriate data protection policies (apart from other required technical and organisational measures to protect data)
What is included
- defining the scope of the ISMS
(business aspects, organization, locations, assets, technology), - developing an information and legal risk methodology
(addressing information risks in terms of confidentiality, integrity and availability of data, defining the treatment of information risks of business / support processes, defining information assets, identifying threats and vulnerabilities of assets, defining the treatment of information and legal risks) - carrying out an analysis of information security and legal risks
(identification of business / support process risk in terms of confidentiality, integrity and availability of data, identification of significant information assets used in the same process, selection of appropriate threats and vulnerabilities of information assets, determination of information risks for each information asset in terms of confidentiality, integrity and availability) - implementation of risk mitigation procedures
(choosing appropriate measures, accepting risks, avoiding individual risks, transferring risks to other parties) - implementation of a documented information security management system (ISMS)
(performing GAP analysis for existing information security procedures, reviewing and updating existing documentation, drafting missing documentation, preparing SOA eligibility sheets) - raising awareness of employees and contractual partners (education, communication of changes)
- preparing and conducting internal audits and management reviews
- implementation of other measures specified by the legislation or requirements of ISO / IEC 27001 or similar