In September, we and our subsidiary DENIC Services GmbH & Co. KG successfully completed the transition audits to the current version of the standard for information security management systems, ISO 27001. Our subsidiary has had its own certification since 2022, so both companies were audited separately for the transition.
What were the specific tasks?
The first step was to perform a gap analysis for the changes in the ISO/IEC 27001:2022 version to get a detailed overview of the necessary steps. The new features in the 2022 version mainly concern the measures defined in the so-called Annex A.
The eleven new measures are amongst other things designed to protect against new threats such as cloud computing and social engineering. The new measures are also intended to improve the effectiveness of information security management systems by offering more options for risk mitigation. They concern, for example, those that address threat intelligence, Information security for use of cloud services or secure coding.
There are a total of 93 of these classified measures that organisations can apply to to treat information security risks (in accordance with the standard).
It quickly becomes clear that risk management, i.e. the systematic identification, analysis and evaluation of risks to information security and the subsequent risk treatment, also had to be adapted to the new requirements of ISO/IEC 27001:2022.
Internal audits as a test run
Another requirement is that all core clauses and security measures are reviewed as part of internal audits. The initiative of the DACH registries, which has been in place for over ten years, came at just the right time. The mutual audits were carried out together with security colleagues from Switch and nic.at.
This year, DENIC Services GmbH & Co. KG also took part in the expert panel and received valuable and useful suggestions for migrating to the current standard for information security, cyber security and data protection.
Successful audits
DENIC and DENIC Services had their hands full preparing for the transition audits, which finally took place at the beginning of September – from gap analysis and risk management to internal audits, and not just in the information security team.
Thanks to the efforts of all employees, the transition to the new version has been a real joint success.
