Whether business partners, clients or interested parties – everyone has the expectation that their data is being optimally protected by service providers. What’s more: EU General Data Protection Regulation (GDPR) and German lawmakers require that the technical and organisational measures of data protection and information security be checked by customers in cases of data processing on behalf. But very few companies have the necessary competences or resources to do this.
The solution to both challenges lies in the certification of (internationally) recognized standards whose implementation and compliance can be ensured through independent auditors and an accredited auditing agency. If the concern is to check the IT security of a data centre through such external audit powers, than the standards ISO 27001 (native) as well as ISO 27001 based on IT baseline protection, are worth considering.
Information security in management standards
Most notable within the realm of management standards are ISO 9001 which has been established for quality management, ISO 14000 for environmental management and ISO 27001 for information security management. These standards are to a certain degree a ‘best practice’ aggregate; they sum up what hundreds and thousands of companies have successfully checked out over decades. Companies who are certified by an accredited standard have a guarantor who can show business partners and lawmakers that they follow tried and tested, (internationally) recognized management methods.
In Germany, there are two standards for information security management systems (ISMS) which have been established: on the one hand an ISO 27001 native certification, and on the other an ISO 27001 certification based on IT baseline protection (also named BSI baseline protection). Actually, both are management standards – that means that the end result is not the primary focus of their inspection, but rather the way or respectively the means to more information security. Solely IT baseline protection gives precise guidelines for which security measures to put into place, thereby establishing a benchmark.
This is how standard ISO 27001 based on IT baseline protection functions
Standard ISO 27001 based on IT baseline protection, which was developed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), contains an anticipatory risk analysis. In other words: the BSI has predicted a certain number of typical threats to IT of companies and provided specialized counter-measures for them, taking away much of the time-consuming analysis which companies would have to make themselves. If it is fundamentally the case that a danger threatens a company, then all respective protective measures must be implemented. In this manner, BSI defines a baseline risk level, which is why they also speak about baseline protection.
Advantages and disadvantages of BSI baseline protection for companies
The advantage of a BSI baseline protection certification for companies is primarily that they do not need to execute a risk analysis on the basis of which they would then have to develop an appropriate security measure themselves. Only when a given threat for a company, or respectively, a use case has not been taken into consideration within the BSI baseline protection catalogue, a company must implement a supplementary security and risk analysis. Our experience shows that there are security standards already in place for about 80 % of the cases, e. g. ‚how thick the door of server room needs to be.‘
However, the accompanying disadvantage for companies is the enormously detailed specifications of its implementation. As a rule, one can assume that for BSI baseline protection there will be about ten-times the amount of effort involved in the fulfilment of the certification requirements as compared to the standard ISO 27001 native.
For customers, business partners and clients of a company who is certified according to ISO 27001 based on IT baseline protection, there is still the advantage that the standard not only illustrates that an information security management system exists at all. Rather, it explicitly defines what and how it is implemented within the company. Thus, with a successful certification, it can also be assessed from outside a company e. g. how the configuration of a Windows 2008 server has been established. So, in comparison to an ISO 27001 native, a BSI baseline protection certification states significantly more about the existing implementation of technical security measures.
A limitation of ISO 27001 based on IT baseline protection is its limited international recognition and a lack of a centrally located accreditation body (as of the present moment, the standard is not derived from the German Accreditation Body (Deutsche Akkreditierungsstelle – Dakks). For this reason, acceptance is by and large still limited to German-speaking countries. Currently, there are approx. 90 companies in Germany who are certified according to ISO 27001 based on IT baseline protection, while in this part of the world about 600 to 800 companies have a certification according to ISO 27001 native (approx. 15,000 worldwide).
However, whoever would like to make a bid on projects within the public and legal sectors of Germany, will rarely be able to get around having a BSI baseline protection certificate. In line with this, the Federal Ministry of the Interior (Bundesministerium des Inneren – BMI) has set the BSI baseline protection catalogue as its benchmark for its National Action Plan 2017 for public authorities. Should security relevant information or processes be outsourced (for example stored in the cloud), than an ISMS, based on IT baseline protection, is indeed mandatory.
What are the components of the BSI IT baseline protection catalogue?
The central element of the IT baseline protection catalogue is its components (In German: Bausteine). These components can be described as being within five layers:
- Universally applicable aspects (e. g. viral protection, personnel)
- Infrastructure (e. g. buildings, server room)
- IT systems (e. g. telephone systems, mobile phones)
- Networks (e. g. WAN, LAN, firewall)
- IT applications (e. g. software, databases)
In the case of a certification according to ISO 27001 based on IT baseline protection, at least seven components are reviewed. And each component contains measures whose correct application is checked in an audit. All in all, in an audit which takes place over several days many areas are checked and cleared.
BSI baseline protection from Global Access
Global Access has already been certifying its data centre security along with its cloud computing security since 2008 according to ISO 27001 native, and additionally according to ISO 27001 based on IT baseline protection since 2013. In doing so, we made ourselves the first cloud provider in Germany to have such certification.
This is turn has several advantages for our partners and customers:
- Products and services provided by Global Access can be advertised for their level of IT security.
- For Global Access, in the case of data processing on behalf, the need for customers to check technical and organisational measures usually falls away.
- In using the services of Global Access, companies may be able to go about acquiring certification according to ISO 27001 based on IT baseline protection more easily themselves as our services and the existing infrastructure (e.g. server rooms, wiring) need no further checks or to be extensively arranged or monitored. This means a dramatically reduced cost in terms of time and money in implementation on the side of your company or administration.
