What do setting up and certifying an ISMS entail?
SWITCH formed an Information Security Committee (ISC) last year. Working at management level, it draws up security guidelines, assesses risk analyses andplans measures to enhance information security. As Chief Information Security Officer, I head up the ISC .I take instructions from the ISC and am responsible for the operation and continual improvement of the ISMS.
We carried out a business impact analysis to evaluate critical business processes and worked out emergency scenarios and measures to mitigate these and limit the damage caused.With a view to ensuring that normal operation can be restored as quickly as possible in the event of faults and emergencies, we defined a practically oriented incident management process and tested it in a number of emergency exercises.
The consulting firm AWK Group helped SWITCH set up the ISMS. After this intensive phase, SQS awarded SWITCH its ISO 27001 certification. We are thus among the first registries in Europe to have a certified ISMS.
What does this mean for the future?
We share our experience with other registries to maintain the security of the overall system for domain names and take it to the next level. Rolling out ISMSs is also on the agenda for Swiss universities.SWITCH will let them, too, benefit from its experience.
However, SWITCH does not intended to rest on its laurels. The process of continual improvement is vital to the ISMS and is thus embedded in all its phases and procedures. Security is an ongoing process, not an end result. The next interim audit by SQS is already scheduled. Certification is a continuing commitment.
