top of page
Start
ISO 27001, TISAX®, IT-SiKat, SzA, B3S, KRITIS, VAIT, IT security catalog, VDA ISA, attack detection systems, pharmaceuticals, food retail, hospitals, hosting, CDN, traffic control systems, control systems, food industry, aggregators, data centers, ISO 27017, ISO 27019, ISO 27701

INTERNAL AUDIT ⚫️⚫️🔴

Performing internal ISMS audits (worldwide) to meet official requirements.

Audit Bases 

 

  • ISO 27001, ISO 27017, ISO 27019

  • VDA ISA (TISAX®), VAIT, NIS2

  • IT Security Catalog
    (IT-SiKat  
    §11 1a & 1b EnWG)

  • Industry-Specific Security Standard
    (B3S KRITIS)

  • Guidance and specification of the requirements for the measures to be implemented in accordance with §8a section 1 of the BSIG

What clients and cooperation partners say:

"A complete professional, through and through! As part of a comprehensive ISO 27001 certification, Mr. Borgers gave us crucial recommendations as part of a thirty-party audit prior to the certification, so that we successfully passed the ISO 27001 certification audit right at the first attempt. His way of working was characterized by extreme care, thoroughness, foresight and outstanding specialist knowledge. Deadlines were always met on time. I can recommend Mr. Borgers without reservation. Anyone who wants to implement an ISO 27001 certification effectively is in good hands with him."
Martin Kerkmann via LinkedIn | EPLAN
Voraudit, ISO 27001, ISMS, IT-Sicherheitskatalog, IT-SiKat, TISAX®, VDA ISA, VAIT, KRITIS, B3S, §8a BSIG, Informationssicherheit, Angriffserkennungssysteme, SzA, Zertifizierungsvorbereitung, Audit-Management, Compliance, IT-Sicherheit

An information security management system (ISMS) requires companies to conduct independent internal audits at regular intervals. These audits aim to verify whether the requirements of the relevant standards and the company's internal guidelines are being met, as well as to evaluate whether the ISMS is being effectively implemented in the company's practice. For many companies, conducting these audits is a challenge. This is particularly the case when the independence of the internal auditor from the area to be audited cannot be ensured due to a small workforce. In such situations, and especially when the focus is on identifying and exploiting opportunities for improvement, it is advisable to entrust the evaluation of the management system to an external auditor. 

 

Auditor ≠ Auditor

 

In the information security industry, there is no legally protected professional title for the role of auditor. This regulatory gap allows individuals to call themselves auditors, even if their qualifications are based on a short training course that lasts only a few days. This carries the risk that the quality and depth of the audits may not meet the required standards, as theoretical knowledge from short courses is often insufficient to cope with the complex challenges of information security in practice.

A similar problem exists in the area of consultancy. There are consultants who have never had direct operational responsibility for IT security or information security in their professional careers. Nevertheless, they offer consultancy services, even though they lack practical experience. This discrepancy between theory and practice can lead to a lack of realistic, effective solutions. However, practical experience, particularly in the operational area, is essential for the evaluation and improvement of information security. Theory alone cannot fully grasp the diverse and often unpredictable challenges of the IT landscape.

 

The audit service providers have recently recognised this fact and therefore place clear requirements on their auditors before they are appointed and allowed to work on behalf of the certification body.

QuickCkeck zur Informationssicherheit

Advantages of an internal audit by an appointed auditor:

  • Unquestionable compliance with the standard requirements for conducting internal audits

  • High level of expertise and specialist knowledge

  • Objective assessment at the level of a certification audit

  • Efficient and routine procedure for conducting the audit

Continuous process: annual ISMS audit for operators of critical infrastructure

Companies and organisations that operate critical infrastructure are not only obliged to implement industry-specific security requirements, but also to establish and maintain an ISMS as the basis for comprehensive secure operation in all aspects of the critical infrastructure. This can be done, for example, by introducing and operating an ISMS based on an internationally recognised standard (e.g. ISO/IEC 27001). Regular reviews of this management system are necessary to ensure that the ISMS is effective and appropriate and meets the requirements of the standard, the industry and the legal regulations. During the annual internal audit, processes and procedures within the ISMS are checked for their effectiveness and efficiency and examined for possible weaknesses. The aim is to continuously increase the security of the critical infrastructure by identifying and eliminating risks as early as possible and providing the KRITIS operator's audit service provider with objective evidence of compliance with the requirements for the prescribed independent internal audits.

Audit focus, industries and KRITIS sectors:

ISO 27001, B3S, KRITIS, IT-SiKat, TISAX®, VAIT, VDA ISA, §8a BSIG, KritisV, ISO 27002, IT security catalog, ISO 27019, §11 1a EnWG, §11 1b EnWG

You have questions regarding the

INTERNAL AUDIT?

Sometimes a direct conversation is simply unbeatable. Please do not hesitate to arrange a free conversation via our telephone calendar!

 

IMG_1092.png
bottom of page