Supplier Solutions Portal

Externally appointed Information security officer

Your current situation

You are a small or medium-sized enterprise up to around 100 (max. 150) employees, for example a production company, construction services company, consulting agency, (creative) agency, or doctor's surgery.

An ISMS is already implemented in the company. This needs to be continually further developed and adapted to customer-specific requirements so that the right level of confidentiality, integrity, and availability is always ensured.

The tasks in this regard are mainly fulfilled by the information security officer in the company. However, it is not possible or seems uneconomical for the company to provide its own staff for this role.

Furthermore, you value the principle of dual control, the impartiality, and the professional expertise associated with the use of an external service provider for the role of information security officer.

Our service portfolio

As part of ongoing activities, the following specific services can be carried out by OS:

  • Contact for all questions pertaining to information security
  • Drafting of guidelines on information security
  • Creation of annual plan/budget for information security measures
  • Support during modeling of business processes together with the process owners
  • Execution of risk analyses together with the management
  • Planning and performance of internal Audits
  • Planning and performance of management reviews
  • Drafting of measures to improve the ISMS
  • Support with the planning and implementation of company-wide information security Projects
  • Check as to whether information security measures and regulations are being complied with
  • Training sessions on the subject of information security
  • Processing and documentation of information security-related incidents
Benefits for your company
  • Reduced need for training, greater experience

The role of information security officer requires knowledge of ISO 27001 as a standard, the requirements as regards the ISMS documentation, and fundamental IT structures. This knowledge may first need to be gained through training if there is a lack of experience. This is a costly, time-consuming process.

  • Avoidance of compliance problems or self-regulation

if tasks are carried out by one person with two roles (for example, IT administrator). A joint role as information security officer / quality management officer would be conceivable, but the person would require the expertise mentioned above.

  • No commitment of resources

An information security officer who is employed with this as their main role can hardly be productive in any other way, at least while an ISMS is being set up. Otherwise the setup phase will take longer or the resulting ISMS may not meet the relevant requirements.


TISAX® is a registered trademark of the ENX Association.