The senior management team has decided that AU must comply with ISO 27001, and must maintain maturity level 3 with regard to information security. To achieve this, ISMSs must be implemented at the local level, and they must be reevaluated annually. This applies to both academic and administrative units at AU.
The definition of a maturity level is as follows:
"Procedures are standardised, documented and communicated through training.
It has been announced that the procedures must be complied with, but it is unlikely that non-compliance will be discovered.
The procedures are usually a formalisation of existing practice. "
A local ISMS must contain:
There are few formal requirements for local ISMSs, and they can be quite simple.
There are also different ways of implementing a local ISMS. For example, an ISMS can be implemented at faculty or department level; but there may also be specific research programmes for which additional measures to improve information security are required. For example, if external partners have particular requirements in this regard.
A local ISMS must be based on AU’s central information security management system, which complies with IS-37001, the security standard for Danish state sector authorities.
The manager of the unit is responsible for the implementation of a local ISMS. In this context, ‘managers’ refers to, for example, department/school heads, research centre directors or deputy directors.
Managers have overall responsibility for information security in their units, which includes activities such as:
The local FISUs (research IT security committees) at AU’s five faculties are knowledgeable, relevant partners in relation to the implementation of the local ISMS.
It’s a good idea to design the local ISMS as an annual planning cycle that includes the phases Plan - Do - Check - Act.