You are here: Home News & Alerts News Surveillance audit of ISO 27001 …

Surveillance audit of ISO 27001 certification completed

Last Friday, the surveillance audit for the ISO certification, initially issued in November 2021, was successfully completed. The central goals of the certification are the creation of the necessary foundations for handling sensitive data and the professionalisation of the core operation of the data centre.

Another important step is the recent separation of the CIO function from the operations of the data centre and the assignment of responsibility for information security management (ISMS).
In the course of this process, a restructuring was also initiated to integrate the ISMS much more clearly into the operational processes and decisions of the data centre. For example, the round of department heads now regularly deals with topics such as operational security and the handling of security incidents. Procedures from the ISMS are integrated into the operational control, the risk assessment and the evaluation of non-conformities support the strategic planning.

Central operational procedures were clarified and documented in preparation for the monitoring audit. These updated guidelines primarily refer to Machine Room II, but are to be adopted as recommendations in general IT practice on campus.
A central aspect of secure IT operations is the disposal of data media. For this purpose, a guideline was issued for the computer centre, which was developed jointly in detailed coordination with the Stabsstelle "Sicherheit, Umwelt und Nachhaltigkeit (SUN)"  /staff unit "Security, Environment and Sustainability (SUN)/  has been developed.

It is intended to form the basis for a recommendation for the entire campus. In this guideline, data carriers are classified and subsequently assigned to a disposal path depending on the protection requirement. Guiding questions are used to determine the disposal path for data media from the data centre area. The principle is easily transferable to other facilities that regularly have to dispose of data media containing sensitive information. The operational experience of the data centre shows that a general requirement to overwrite would be uneconomical.
Another guideline that was certified in the monitoring audit concerns data backups from services in machine room II of the data centre. For an IT structure as complex as the one found there, planning is needed that is geared towards restoring services. These are core services for the campus that are focused on availability, data integrity and confidentiality.

https://uni-freiburg.de/zuv/geschaeftsbereiche/sun/