Externally appointed Information security officer

Your current situation

You are a small or medium-sized enterprise up to around 100 (max. 150) employees, for example a production company, construction services company, consulting agency, (creative) agency or medical practices.

An ISMS is already implemented in the company. This is to be continously developed and adapted to customer-specific requirements, so that the appropriate level of confidentiality, integrity and availability is always guaranteed.

The tasks are fulfilled in particular by the company's information security officer. However, the provision of own resources for this role is not possible or appears uneconomical within the company.

Furthermore, you value the principle of dual control, the impartiality and the professional expertise associated with the use of an external service provider for the role of information security officer.

Our service portfolio

As part of ongoing activities, the following specific services can be carried out by OS:

  • Contact for all questions pertaining to information security
  • Development of guidelines for information security
  • Preparation of annual plan/budget for information security measures
  • Support during modeling of business processes together with the process owners
  • Execution of risk analyses together with the management
  • Planning and performance of internal Audits and management reviews
  • Development of measures to improve the ISMS
  • and much more besides
Benefits for your company
  • Experience advantage and reduction of training requirements

The role of information security officer requires knowledge of ISO 27001 as a standard, the requirements as regards the ISMS documentation and basic IT structures. If this knowledge must first be acquired through training or if experience is not available, this entails costs and requires time. 

  • Avoidance of compliance problems or self-regulation

if tasks are performed in personal union (e.g. IT administrator). It would be conceivable to have an information security officer / quality management officer as well, but this also requires the above-mentioned knowledge.

  • No commitment of resources

A full-time information security officer can hardly be productive in any other way, at least during the development of an ISMS. Otherwise the set-up phase will be prolonged or the result "ISMS" may not meet the relevant requirements.

TISAX® is a registered trademark of the ENX Association.