Österreich
Secure Your Business
 

CASE STUDY STAGE REVIEW:
THE SYSTEM CHECK

   

  • CIS Stage Review: short audit serving to determine the system status
  • Strength/weakness profile and opportunities for optimizing management systems
    acc. to ISO 27001, ISO 20000 as well as for data centers

     

For companies and organizations that implement information security according to the International Standard ISO/IEC 27001, establish IT Service Management according to ISO/IEC 20000 or prepare for data center certification, the Certification Body CIS offers so-called Stage Reviews as a “lupeTastaturstocktaking method” or “milestone review”. The relevant assessment, which will be made by independent CIS Auditors, throws light upon the strong and weak points of a management system and shows opportunities for improvement within the scope. This helps to answer central questions that may occur in the course of an implementation project. Are there undiscovered sources of risk? Has the Certification Standard been interpreted correctly? Are the security controls sufficient, conducive and effective?

  

  • A short audit throws light upon strengths and weaknesses

    As far as the contents are concerned, a CIS Stage Review directly follows the Standard implemented. In the field of information security, this is ISO 27001, which does not only cover IT security but also such aspects as structure, security of buildings and the work environment or people awareness. In order to make an analysis of the actual state, which includes a strength/weakness profile, at a CIS Stage Review, the single risks will be identified depending on the company size and sector while evaluating organizational security controls and comparing them to the requirements of ISO 27001. The result is a multi-page audit report, which will furnish an assessment of the strong and weak points as well as opportunities of improvement in terms of maturity for certification. Similarly, a CIS Stage Review for IT Service Management follows ISO 20000 while data center certification follows ANSI/TIA 942 and/or EN 50600. “A Stage Review is particularly recommendable in the implementation phase of management systems - as an independent monitoring of project progress and in order to make it possible to better estimate the controls actually necessary,” says CIS General Manager Erich Scheiber. For if too few controls are implemented, this might become just as uneconomical as the fact the too many controls are implemented. According to Erich Scheiber, lean and effective systems are the goal.
  • Saving of time at A1 Telekom Austria

    Before the preparations for ISO 27001 certification at A1 Telekom Austria AG, the conduct of a CIS Stage Review helped to shorten the project period by altogether six months. “Top Management wanted rapid implementation within eleven to twelve months whereas the IS Managers would rather have expected 18 months. After the Review, we had obtained such a good overview of the tasks that still needed to be tackled that the schedule could be revised. Finally certification was achieved as early as after eleven months,” reports the Information Security Manager Mag. Krzysztof Müller. On the whole, it was a question of putting the requirements of the Standard in more precise terms as tailored to the scope to be certified. For thorough studies of the implementation guide had made it quite obvious that the Standard would leave a lot of room for interpretation. For example, “reasonable risk management” is required. However, there are no further explanations of what “reasonable” actually means - because this depends on the company specific security requirements. “Therefore, it was important for us to ask the Certification Body to take stock. If the auditors that will audit the overall system later on acknowledge or correct the direction we are heading, our way cannot be so wrong,” emphasizes Mag. Krzysztof Müller and adds the following: “We can recommend such a voluntary pre-assessment - as helpful facilitation on the way because implementation of the Standard is anything else but routine.”
  • Two milestone reviews at BRZ

    When implementing ISO 27001, the BRZ (“Bundesrechenzentrum” - Federal Data Center) used a Stage Review conducted by the Certification Body CIS as a strategic milestone review twice, namely at the beginning of the implementation phase and some months later as an intermediate check. “While an information security management system is being implemented in such a complex data center, a Stage Review offers planned check points, where adequacy of the controls is reviewed. This intermediate assessment will increase the motivation of the team und and give additional suggestions. Thus the client will get an objective progress report,” explains Ing. Johannes Mariel, Information Security Manager in the Federal Data Center.
  • System check in the data center of Energie AG

    At a two-day Stage Review conducted at Energie AG OÖ Data GmbH, CIS Auditors reviewed the area to be certified, which covers the whole data center with 16 server cabinets and a capacity of 500 Terabytes. The reference standards used were the proven American Data Center Standard ANSI/TIA 942 and the European counterpiece EN 50600. “For us, the Stage Review was a helpful preparation for certification we had envisaged,” explains General Manager Dr. Manfred Litzlbauer. “On the one hand, we have identified and collected all the persons responsible for the interviews made by the auditors as well as all documents and evidence. Documents and evidence include architectural plans, static, cabling structure, power supply, the carrying capacity of intermediate ceilings, fire resistance of doors and the like. We will be saved this workload at the Certification Audit. On the other hand, we have obtained a detailed stocktaking of our data center in conformity to the ANSI/TIA security levels. Thus we know exactly what controls are necessary, what they will cost and how much time their implementation will take. Based on the Stage Review, we could establish a detailed project and budget plan. In our opinion, such a voluntary Delta Audit is an optimal preparation for certification.”
     
  • The CIS-Stage-Review

Audit Planning: guarantees efficient handling
Audit Procedure: evaluation of the system status against the requirements of the Standard
Audit Report: assessment of strengths/weaknesses and opportunities for improvement
 

 

 
 
CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com

T&C