ISMS 2024: What companies need to know now about NIS2, DORA, CRA and ISO/IEC 42001

The demands on information security are increasing rapidly and with them the regulatory pressure. Cyber attacks such as ransomware, supply chain attacks and targeted attacks on critical infrastructures have long been part of everyday life. At the same time, NIS2, DORA, CRA and ISO/IEC 42001 are four key regulations that affect companies of all sizes and from all industries. A structured ISMS (Information Security Management System) thus becomes the indispensable basis for a legally compliant and resilient security architecture. Those who fail to act now risk not only fines, but also considerable competitive disadvantages.

ISMS

NIS2 – The new basic requirement for many companies

The revised NIS2 Directive will apply from October 2024. Companies with 50 or more employees or an annual turnover of over 10 million euros may already be affected, especially if they operate in critical sectors. The most important requirements include the introduction of an information security management system (ISMS), regular risk analyses, business continuity measures and reporting obligations for security incidents. The management bears personal liability. Our tip: Start with a gap analysis to determine your current implementation status.

DORA – Resilience for the financial sector

From January 2025, DORA will be mandatory for all financial companies in the EU. Banks, insurance companies and relevant IT service providers must strengthen their digital resilience, ICT risk management and incident reporting. Here too, an early GAP analysis and review of existing emergency management systems is recommended.

CRA and ISO/IEC 42001 – Security for digital products and AI

The Cyber Resilience Act (CRA) will regulate the entire value chain of digital products – from development to marketing – from 2026. Manufacturers, developers and importers of hardware and software are obliged to implement “security by design” and establish vulnerability management. The new ISO/IEC 42001, in turn, is the international standard for the secure handling of artificial intelligence and addresses AI-specific risks such as bias, lack of transparency and lack of traceability.

Recommendations for a future-proof ISMS strategy

Companies should now prioritize measures, carry out GAP analyses and integrate new standards such as ISO 42001 into existing management systems. Raise awareness among managers and specialist departments, because information security is no longer just an IT task, but a strategic core function.

Conclusion:

A holistic ISMS that integrates IT, OT, AI, data protection and business continuity is the basis for sustainable security and compliance. Those who act early minimize risks and secure clear competitive advantages. We are happy to support you from the GAP analysis to the implementation of practical solutions.

Would you like to find out more or get started right away?
Contact our team – together we can make your company fit for the new information security requirements! Get ahead and in touch with us – info@expertsinstitut.de

Read our entire blog: https://experts-institut.de/newsroom/
And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by

Information security – a must for modern companies

In today’s digital world, information security is more than just a technical concern: it is a business-critical necessity. Companies must protect sensitive data and at the same time meet legal requirements. This article highlights the most important aspects of information security with a focus on the implementation of an ISMS according to ISO 27001 and the new EU NIS2 directive, which comes into force in 2024.

Why is information security important?

Information security ensures the confidentiality, integrity and availability of data and IT systems. It not only protects against cyber attacks, but also ensures the continuity of business processes. An effective information security management system (ISMS) helps companies to identify and minimize risks.

Implementation of an ISMS through ISO 27001

ISO 27001 is an internationally recognized standard that helps companies to develop and implement an ISMS. It offers a systematic approach to protecting information and minimizing risks.

Why is ISO 27001 important?

  • By complying with ISO 27001, companies can strengthen the trust of their customers and partners
  • Many industries require compliance with certain security standards, ISO 27001 helps to meet these requirements
  • The standard provides a clear framework for identifying and managing security risks

Steps for implementation

  1. A project team is set up to take responsibility for implementing the ISMS
  2. Clear roles and responsibilities are defined to ensure smooth implementation
  3. A delta audit and an inventory are carried out to identify vulnerabilities and the current security status
  4. All employees involved are sensitized and qualified through targeted training courses
  5. Departments receive weekly task packages that cover various chapters of ISO 27001
  6. A comprehensive, digitalized ISMS is created to ensure sustainable information security
  7. Internal auditors are trained to carry out regular audits in the company
  8. Regular internal audits ensure that all measures are properly complied with
  9. A gap analysis is used to identify weaknesses, which are then remedied with a concrete action plan
  10. The action plan is implemented by implementing the planned measures in a targeted manner
  11. The certification process is continuously monitored until successful completion of ISO 27001 certification

NIS2 and the connection to ISO 27001

The NIS2 Directive, which comes into force in October 2024, tightens information security requirements, especially for operators of critical infrastructure (KRITIS), and affects around 21,600 new companies in Europe. The aim of the directive is to strengthen protection against cyberattacks and resilience.

ISO 27001 and NIS2 both pursue the goal of information security, but differ in scope. While ISO 27001 provides a flexible framework for implementing an ISMS, NIS2 adds additional requirements specifically aimed at KRITIS operators and critical facilities. Companies that are ISO 27001 compliant have already met many of the NIS2 requirements.

NIS2 introduces the following obligations for companies:

  • Companies need to further enhance their security standards and conduct regular audits to ensure both cyber security and physical resilience
  • Security incidents must be reported within 24 hours as there are stricter reporting requirements
  • Violations may result in penalties in the form of fines of up to 10 million euros or 2% of global turnover

Conclusion: Why information security is essential for companies

The importance of information security in the modern business world cannot be overemphasized. With increasing connectivity and the steady rise of cyber threats, it is becoming imperative for companies to develop robust security strategies and comply with regulatory requirements such as the NIS2 directive. By implementing an effective information security management system in accordance with ISO 27001, companies can not only minimize their risk, but also strengthen the trust of their customers and partners. Given the new challenges that come with NIS2, it is crucial that companies act proactively to adapt to the increased information security requirements and avoid potential sanctions.

How we as Experts Institut can help

As Experts Institut, we offer comprehensive consulting services for the implementation and optimization of ISMS in accordance with ISO 27001. We also support companies in implementing the new requirements of the NIS2 directive. Our focus is on supporting customers in complying with IT compliance requirements and strengthening their information security.

Are you considering optimizing the security measures in your company? Get ahead and in touch with us – info@expertsinstitut.de

Read our entire blog: https://experts-institut.de/newsroom/

And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by

ISO 9001 certification: Step by step to a successful QMS

ISO 9001 certification is an internationally recognized standard in quality management. It stands for trust, efficiency and reliability – qualities that customers and business partners value. However, the certification process can seem challenging. In this guide, you will learn how to successfully implement certification and how we can support you step by step.

Why ISO 9001 certification?

ISO 9001 certification offers many advantages: more efficient processes, better risk management and greater trust from customers and partners. It can also open up new business opportunities, as many tenders and contracts require ISO certification.

ISO 9001

1. initial consultation and analysis: the start

The first step towards ISO 9001 certification is a comprehensive analysis of your existing structures and processes. This will determine how well your quality management system (QMS) already meets the requirements of the standard and where improvements are needed.

Why is this important? Many companies already unconsciously fulfill parts of the ISO 9001 standards. A professional analysis uncovers these strengths and identifies specific weaknesses in order to make the process efficient and time-saving.

2. planning the implementation: tailored to your requirements

Following the analysis, a customized implementation plan is drawn up that defines all the steps required for full compliance with ISO 9001 standards.

What makes this step so important? Thoughtful planning ensures that the standard requirements are implemented without disrupting your day-to-day operations. This maximizes the benefits of certification and minimizes disruption.

3. implementation of the quality management system (QMS)

Now it is a matter of either implementing the QMS from scratch or optimizing existing processes. This ensures that all requirements of the ISO 9001 standard are met.

Why is this important? An optimized QMS not only improves the quality of your products and services, but also increases efficiency. Clear processes, reduced errors and motivated employees contribute to successful certification.

4. internal audits and training: Preparation is everything

Internal audits and the training of your employees are essential components before the official certification audit begins. They identify weak points and ensure that the QMS is implemented correctly. At the same time, employees are prepared for the new processes.

Why this step? Training ensures that employees understand the new processes and use the QMS efficiently. The internal audits ensure that your company is ready for official certification.

5th certification audit: The decisive step

During the certification audit, an external auditor checks whether your company meets the ISO 9001 requirements. This is the last step before receiving the certificate.

Our support: We accompany you through the entire audit process and are on hand to answer any questions or challenges you may have. Our aim is to make the audit as smooth as possible and ensure successful certification.

6. receipt of the certificate: Your seal of quality

After the successful audit, you will receive the ISO 9001 certificate, which is valid for three years and confirms that your company meets the highest quality standards.

What comes next? Regular internal audits and continuous improvements are crucial in order to maintain certification in the long term and to be successful in the recertification process.

Conclusion: Your partner for successful ISO 9001 certification

ISO 9001 certification requires careful planning and specialist knowledge. With our advice at your side, the process will be smooth and efficient. Contact us to find out more about our customized consulting services and make your certification a success. Get ahead and in touch with us – info@expertsinstitut.de



Read our entire blog: https://experts-institut.de/newsroom/

And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by
,

Combining sustainability and success: The new VSME standard for SMEs

Sustainability is becoming increasingly important in corporate management, particularly in the wake of new regulatory requirements at European level. For large companies that are already covered by the CSR Directive Implementation Act (CSR-RUG), reporting on sustainability issues is mandatory. However, small and medium-sized enterprises (SMEs) are also focusing on voluntary sustainability reporting. The EU’s new voluntary standard, the VSME (Voluntary Sustainability Reporting Standard for Micro, Small, and Medium Enterprises), now offers SMEs a clearly structured opportunity to get involved in sustainability reporting.

Sustainability

What is the VSME standard?

The VSME is a voluntary reporting standard developed specifically for micro, small and medium-sized enterprises that are not subject to the mandatory regulations of the Corporate Sustainability Reporting Directive (CSRD). The aim of the standard is to create a framework that enables these companies to report on their sustainability activities in a practicable manner. The VSME standard is intended to help provide sustainability information for lenders, investors and business partners and to make the company’s contribution to a sustainable economy visible.

Structure and modules of the VSME standard (sustainability)

The VSME standard has a modular structure and comprises various reporting requirements tailored to the size and structure of the company:

  • Basic module: Here, all reporting companies must provide basic information on areas such as energy consumption, greenhouse gas emissions, water consumption and governance. This module is the same for all companies, although certain information can be omitted if it does not apply to the company in question.
  • PAT module (Policies, Actions, Targets): This module is aimed at companies that have already developed and implemented strategies and targets in the area of sustainability. Reporting in this module is based on a materiality analysis that identifies the company’s key sustainability issues.
  • BP module (Business Partners): This module is intended for companies that want to pass on sustainability information to financial stakeholders and business partners. Here too, reporting is based on the materiality analysis.

Materiality analysis: the key to effective reporting

A central element of the VSME standard is the materiality analysis. This analysis helps companies to identify the issues that are material from both an environmental and social impact and a financial perspective. The focus here is on dual materiality – i.e. the consideration of both the company’s impact on the environment and the financial impact of sustainability aspects on the company.

The added value for SMEs

The VSME standard offers numerous advantages for small and medium-sized enterprises. Structured reporting in accordance with this standard enables SMEs to present their sustainability performance in a transparent and comprehensible manner. This creates trust among investors, lenders and business partners and can increase the company’s competitiveness. The VSME standard also provides valuable guidance for systematically integrating sustainability issues into the corporate strategy.

Sustainability: Conclusion

The VSME standard is an important step towards more comprehensive and transparent sustainability reporting, even for smaller companies. Thanks to its practical and flexible design, it offers SMEs the opportunity to actively participate in sustainable management and strengthen their position in the market. The Experts Institute recommends that companies familiarize themselves with the requirements of the VSME standard at an early stage and take advantage of the opportunities offered by voluntary sustainability reporting.

Read our entire blog: https://experts-institut.de/newsroom/

And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by

Artificial intelligence (AI) in consulting

How artificial intelligence is revolutionizing management consulting: Insights into a future where consultants and AI, go hand in hand

AI until 2030

In the rapidly evolving business world, companies face the challenge of keeping up with the latest technologies in order to remain competitive. Artificial intelligence (AI) is playing an increasingly important role in this transformation. In this context, the question of whether AI can replace the traditional management consultant is becoming increasingly important. Research, such as McKinsey & Company’s study, “Generative AI and the Future of Work in America,” predicts that by 2030, generative AI will automate tasks that currently account for up to 30% of labor hours in the U.S. economy. However, this automation will expand the way we work in specialized areas, not replace it.

Deloitte’s report “State of Generative AI in the Enterprise”

The question is whether the growing interest in artificial intelligence will win the race or whether fears and regulatory hurdles, particularly in the area of compliance, will gain the upper hand. Do the potentials of the technology outweigh the reservations, or are the latter blocking broad acceptance? Deloitte’s report “State of Generative AI in the Enterprise” shows a clear trend. Executives are enthusiastic about the possibilities of generative AI, with 62% rating generative AI as exciting. Nevertheless, there is a certain degree of uncertainty (30%). A majority (79%) expect generative AI to bring about significant transformations in their organizations and industries in the next three years.

Data protection and compliance

While concerns regarding data protection and compliance, for example, are certainly justified in the discussion about artificial intelligence, this debate leads to a significant insight: the role of the management consultant is not diminished by the integration of AI, but rather significantly expanded. By incorporating AI into their services, consultants can provide more data-driven, accurate and efficient solutions. This symbiosis of human expertise and AI capabilities promotes deeper analysis and a refined understanding of complex challenges, which ultimately increases the quality of advice and offers added value for the customer.

Commerzbank provides an innovative example of the application of AI in customer advice with the introduction of an AI-based banking avatar that combines generative AI and avatar technology to improve the customer experience. This underlines the versatility of AI in supporting and improving customer interactions and experiences.

Integration of AI

The integration of AI into management consulting (management consulting at EI) therefore not only enables more efficient data analysis and processing, but also promotes innovation and strategic development. Management consultants who use AI can concentrate on complex analysis and strategy tasks and thus create greater added value for their clients. This development indicates that the AI-savvy consultant will replace the traditional consultant without the use of AI in the digitally transformed business world. Integrating AI into consulting services is not just a possibility, but a necessity to be successful in the modern business world.

Artificial intelligence

Bibliography:

Deloitte. (2024). State of Generative AI in the Enterprise. [Bericht].

McKinsey Global Institute. (2023). Generative AI and the Future of Work in America. [Studie].

Commerzbank Aktiengesellschaft. (2023). Commerzbank plans banking avatar based on artificial intelligence. [Pressemitteilung]. Frankfurt am Main: Commerzbank Aktiengesellschaft.

Another article on the topic of AI / artificial intelligence: https://experts-institut.de/zukunft-gestalten-ki-als-schluessel-fuer-fortschrittliche-unternehmensfuehrung/

Read our entire blog: https://experts-institut.de/newsroom/

And feel free to follow us on LinkedIn: https://de.linkedin.com/company/expertsinstitut

/by

Neustadt

Experts Institut Beratungs GmbH
Kirchwiesenstrasse 5

D-67434 Neustadt a. d. Weinstraße

Phone: +49 (0)6321 969210
E-mail: info@expertsinstitut.de

Fax: +49 (0)6321 9692199

Bamberg

Experts Institut Beratungs GmbH
Untere Sandstraße 53

D-96047 Bamberg

Phone: +49 (0)951 51939330
E-mail: info@expertsinstitut.de

Freiburg

Experts Institut Beratungs GmbH
Habsburgerstrasse 101a

D-79104 Freiburg im Breisgau

Phone: +49 (0)6321 9692120
E-mail: info@expertsinstitut.de

St. Gilgen (Austria)

Experts Institut Beratungs GmbH
Helenenstrasse 16

A-5340 St. Gilgen, Austria

Tel.: +43 (0)6227 21068
E-mail: info@expertsinstitut.de

kununu