The operating system of the server at the electroplating service provider is updated from Windows 2012 to Windows 2016, the medium-sized automotive supplier switches to a different email system or the firewall rules are adapted at the software company. All of these examples from day-to-day business practice represent critical points. After all, they directly affect IT security in the company and should therefore trigger a change management process. In concrete terms, this means that the procedure must be described, a test plan developed and a fall-back plan drawn up. In addition, the change process must be reviewed afterwards. This is supplemented by a risk and opportunity assessment.

The whole thing is not really new. After all, the de facto standard ITIL already contains recommendations for the operation of IT systems and processes that are triggered when changes are made to IT systems. And anyone who is certified in accordance with ISO 27001 must initiate the change management process for every change to IT systems anyway. However, ISO 9001 and the European General Data Protection Regulation (GDPR), which comes into force on May 25, 2018, also include the requirement for a risk and opportunity assessment.

Due to the legal requirements of the GDPR, two ISO standards and the ITIL recommendations, companies now have up to four arguments on the table that definitely trigger a high pressure to act and work towards the introduction of professional change management processes.

The task for companies is therefore to move as quickly as possible from awareness that something needs to be done - after all, it will soon be a legal requirement - to concrete implementation. Unfortunately, there is still a lack of clarity in many companies with regard to the ideal approach. There is no need to reinvent the world, as there are tried and tested quality management tools and methods that provide excellent support in meeting IT security requirements through risk management.

The FMEA method (Failure Mode and Effects Analysis) is one of many ways to carry out a risk assessment as part of a change process. It has proven very successful in practice because, among other things, a single methodology can be used to map both the IT security requirements in accordance with ISO 27001 and the quality requirements from ISO 9001 and the GDPR.

While the path to risk assessment is still unclear in many cases, the benefits are clear to most business leaders and IT managers: change management ultimately leads to gaps being uncovered and upcoming problems being recorded and identified - before any changes are made. As a result, operations are maintained, IT security is guaranteed and nobody is hindered in their work - "ensuring and maintaining operations in the company" is the requirement that is fulfilled in this way, in standardization terms.

One possible consequence of meeting all criteria is the development of an integrated management system (IMS) that maps normative and legal requirements in a single system. At the latest then we have arrived at a real added value for the company, because an IMS not only supports information security, but also bundles resources in other areas, uses synergies effectively and thus saves time and money.

ISO 27001 addresses many points in the area of information security that also come into play in the new GDPR. Before it comes into force, many companies are therefore asking themselves whether it is worth tackling ISO 27001 certification as part of their GDPR activities. There is actually an overlap here: anyone who is certified according to ISO 27001 automatically meets around 20 to 30 percent of the legal requirements from the GDPR in addition to the standard requirements, which they must implement by May 25, 2018 anyway. The cost of recertification in accordance with ISO 27001 is therefore reduced in purely mathematical terms. It is therefore well worth considering taking advantage of this synergy effect between the ISO standard and the GDPR.

Whether with or without formal ISO 27001 certification: IT security is guaranteed with well thought-out change management processes and by carrying out the required risk assessment in advance. And this should be a concern for every organization - regardless of normative and legal regulations.

Peter Miller /as