The dependence on IT systems, the increasing number of cyber threats, and the pressure regarding the General Data Protection Regulation (GDPR) in Germany are forcing Swiss companies to systematically address potential risks.

The fourth industrial revolution or Industry 4.0, which refers to the intelligent networking of machines and processes in industry with the help of information and communication technology, has long since begun. We are now much more dependent on business connectivity (the degree of networking), its underlying infrastructure, and the use of the Internet and mobile devices. This dependency has been exacerbated due to the Covid-19 pandemic and has resulted in an even greater need for system and resilience of digital systems today.

Carolina Klint, Risk Management Leader Continental Europe at Marsh, says, "As companies recover from the pandemic, they are rightly turning their focus to organizational resilience and environmental social governance (ESG) performance. With cyber threats today growing faster than our ability to permanently eliminate them, it is quite clear that without credible and thoughtful cyber risk management plans, there can be no resilience or governance.

(Source: WEF, Global Risk Report 2022)

Cyber criminals are becoming visibly more adept at acting and hitting companies where they are most vulnerable. The damage caused can have a devastating financial impact and cripple business operations and infrastructure for weeks.

On May 25, 2018, the GDPR came into force in Germany. It is a compliance standard to improve data protection and applies to all companies inside and outside the EU that store or process personal data of EU citizens. In the meantime, the Swiss Data Protection Act has also been renewed. The introduction of the new Data Protection Act (DPA) is scheduled for September 2023.

Both the ISO 27001 standard and the DSGVO aim to improve data security, minimize the risk of data breaches and ensure the confidentiality, integrity and availability of sensitive data. Companies are required to reduce potential risks. Attention is focused on accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.

International standards provide solutions that enable organizations to put in place frameworks and systems to assess and manage the situation - protecting information, securing applications and services, and infrastructure.

Standards

Behind the term International Organization for Standardization (ISO) is an organization that pursues the goal of creating internationally uniform standards.

Since the ISO organization was founded in London on February 23, 1947, more than 21,000 standards have been published.

Overview of standards that could be of interest to IT companies:

Security and data protection for the Internet of Things (IoT).

Security and privacy for Big Data

Security and privacy for artificial intelligence and biometric data protection.

These are complemented by more recent technical specifications such as ISO/IEC TS 27570, which provides guidance on protecting privacy in smart city ecosystems, and ISO/IEC TS 27100, which describes how to create or evolve robust cyber systems to protect against cyberattacks.

The third edition of ISO/IEC 27002 was published in the first quarter of 2022. This standard addresses information security controls and has been updated to reflect technological advances, business developments and practices, and new laws and regulations. In addition, there are ISO standards for

ISO/IEC 27035 Incident Management

ISO 22301 Business Continuity Management

ISO/IEC 27031 Information technology and IT security procedures

For example, a number of management standards help build organizational resilience or counteract business disruption and ensure survivability and governance. These include:

ISO 22301 Business Continuity Management Systems

ISO/IEC 27001 Information Security Management Systems

ISO/IEC 27014 Information Security Governance

ISO Certification

An important prerequisite for the successful implementation of an ISO management system is the active role of management. Not only in terms of providing the financial, time and human resources, but in recognizing the need to implement and develop the management system.

ISO 27001 certification, or the establishment of an ISMS (Information Security Management System), is the most common certification in the IT field in this country and a standard used worldwide. It has the following characteristics:

• Evidence of having a plan in place to take all necessary precautions to protect the company from security breaches.

• Creating awareness of potential risks that threaten a company

• Raising awareness of security-related issues among all employees

• Competitive advantage

The implementation of an ISMS is ideally done in combination with ISO 9001 - Quality Management System. This standard covers all strategic and operational management processes from human resources and support processes to actual service delivery. ISO 9001 forms the basis and is the ideal foundation for building an integrated management system.

Certification process

An ISO certification cycle lasts three years. The validity of ISO certification is checked on the basis of an annual external audit and, if successful, extended for a further year. The focus of this process is on continuous improvement (CIP) and further development of the management system.

By carrying out internal audits - a central instrument of the management system - the procedures that are important for ISO can be checked regularly and across departments. In addition to compliance with defined procedures, it is important that employees in particular are sensitized to the importance of the standard introduced in the company. The identification of potential for improvement using the PDCA cycle (Plan-Do-Check-Act) is central to this. The next step is to develop ideas for solutions, define sensible implementation steps, implement them, check them, and then incorporate the findings into the next planning steps. This is a process in which employees are directly involved.

The documents required for setting up a management system can be created independently or with the help of an external consultant. The time required varies greatly here and depends on the internal know-how or that of the external consultant. The costs are similar.

After a successful document review, the external audit can be planned and defined with a certification company. For this purpose, an audit program is drawn up, which specifies the areas to be assessed (standard chapters), the time frame and the persons involved.

Added value of an ISO certification

With the introduction of an ISO standard from the ISO 27000 family, you make an active contribution to the protection of your IT environment and show your customers and partners that you take the security of your data and information seriously and have it systematically audited externally and independently.

Due to the increasing number of hacker attacks on Swiss companies and the growing pressure from the German Data Protection Act (DSGVO) regarding the handling of personal data, the demand for ISO 27001 certification in Switzerland is increasing significantly. Increased demand can be seen among IT companies, startups, for example in the med-tech sector, but also among suppliers in critical supply chains and various industries - such as healthcare or logistics companies.

ITIL versus ISO 20000

While ISO 27000 focuses primarily on data security, other standards, such as ISO 20000 or ITIL, are designed for overall IT service management (ITSM).

ITIL stands for Information Technology Infrastructure Library and is a collection of best practice processes that form a de facto standard in the field of IT services management.

The basic idea of the ITIL framework is to integrate processes, procedures and tasks from the area of ITSM into the overall business strategy of the organization in order to achieve optimal results.

With the advent of new technologies, ITIL is regularly updated so that existing processes and workflows can be managed even better.

Unlike ITIL, the ISO 20000 standard addresses the management of companies. They can have the processes of their IT organization audited and certified according to the requirements of the standard. The ISO standard defines minimum requirements for a service management system and is based in part on the management processes of ITIL.

ITIL does not recognize any certification of companies, but is strongly represented in the training of IT and management specialists. Employees can be trained and ITIL certified, while auditing an ISO standard certifies the company's management system.

Thomas Frischknecht, Executive MBA HSG, Regional Manager and Lead Auditor Attesta Schweizer Zertifizierungsgesellschaft AG. Educational focus on quality management - especially ISO 27001 and information technologies. Long-term management of an IT service company. Self-employed entrepreneur with consulting focus on IT security and CIO topics.