Establishment of local Information Security Management System (ISMS)

AU must establish local Information Security Management Systems (ISMS) which must be in line with AU’s minimum requirements for ISMS. Find out how to approach establishing an ISMS on this page.

Purpose

The purpose of a local ISMS is to have clearly documented agreements and guidelines for how to work with information security and how information is to be protected in the unit in question.
In some research collaborations, external partners abroad, for example, might have stricter requirements for how information is processed, which an ISMS can document.
Working with ISMS also helps raise awareness about information security in the organisation.

How to get started

The actual establishment of a local Information Security Management System (ISMS) can be divided into four phases, which are described below with tips on how to get started and recommendations for methods, templates and guides to use. The activities in the phases are mandatory under ISO 27001, which is the framework for AU's minimum requirements for a local ISMS.

1. Organisation

Question guide:

Which area or unit are you responsible for?
Who has what roles?
Who has what responsibilities?
How do you ensure management buy-in?
How and when is it necessary to escalate internally?

There is no recipe for roles and responsibilities in relation to your ISMS. The setup you decide on will depend on how your unit is organised, among other things. What follows is a description of roles and responsibilities that are to be handled locally, and you need to consider how different roles act in relation to each other, how responsibilities should be divided and criteria for when a situation should be escalated.

Unit manager: Is responsible for information security at the department/school or faculty and the overall risk ownership. The manager of the unit is responsible for determining and documenting ownership of assets, including projects and systems, risks, measures, requirements and legislation. In cases where ownership is shared, there should be management agreements that document the division of responsibilities.
System/asset owner: Can be assigned management of a significant asset. This will most often be an employee with management responsibility and knowledge of the use and value of the asset in question, in order to operational security. The system/asset owner can also be the risk owner, but there may be internal criteria for when and which risks and scenarios should be escalated to the unit manager. If the system in question is an IT system.
Risk owner: This role can be assigned at multiple levels. What is most important is that a risk owner has the responsibility and authority to manage the risks they are responsible for, including making decisions on how to manage risks. If a particular risk has potentially high consequences, the risk owner is often a senior manager.
System manager: Has in-depth knowledge of the asset, how it is utilised and how it constitutes an important tool in a critical business process. The system manager has operational responsibility for the system. AU IT has described the system manager's tasks for IT systems The system manager's tasks (in Danish only)
Local information security coordinators: Are appointed at either a faculty or department/school where they are responsible for the performance of information security activities.

Risk ownership and risk escalation

Risk ownership and risk escalation is assigned taking relative to the following:

Incident that has a negative impact on the reputation of the entity or AU.
Incident causing major operational disruption to the organisation or a broad user group.
compromises sensitive or confidential information or a large number of affected persons.
Financial consequences in addition to system owner’s budget.
Inaccessible central system or asset.

Need to contact the Danish Data Protection Agency

2. Overview of assets

Question guide:

What has the highest value for you?
What information assets are you responsible for?
Which information assets must be prioritised?
Who owns the information asset?
How do you ensure asset overview updates?

An overview of your assets enables you to prioritise resources on an informed basis. Management can prioritise action areas based on your risk acceptance.

Question guide for identifying and prioritising information assets:

1. Identify the unit’s assets

What assets are we responsible for?
Do we have a comprehensive inventory of the important assets the unit is responsible for?
Who is the respective owner of each asset? Ownership must be documented and the owner must be aware of their role and responsibilities.

2. Assess asset criticality and consequences

Criticality

What is the data classification of the unit's information and assets? (determines criticality)
What is the amount and concentration of information? (affects criticality)
What business process does the information support? (strategic value/critical business process?) - including how important the availability, confidentiality and integrity of the information to the organisation.
What expectations do stakeholders have with regard to the confidentiality, integrity and availability of information?
Is this in line with AU's risk criteria/risk tolerances?

Consequences

What are the potential consequences of a leak or loss of information - the following are examples, but the list is not exhaustive:
- Death or injury to individuals or groups.
- Loss of freedom, dignity or right to privacy.
- Loss of employees and knowledge (skills and expertise).
- Damage to organisational function or process.
- Impact on plans and deadlines.
- Loss of organisational and financial value.
- Damage to public trust and reputation.
- Breach of legal, statutory or regulatory requirements.
- Breach of contracts or service levels.
- Negative impact on stakeholders.
- Negative impact on the environment.

3. Rank your unit’s most critical and/or sensitive assets

What are your unit’s most critical and/or sensitive assets?
How should they be ranked relative to each other?

3. Awareness of risk management

Question guide:

What risks can affect your information assets?
How do you protect your information assets?
How does management deal with the identified risks?
What recommendations do you have for appropriate measures?

Risk management is based on your identified and ranked assets. We recommend you follow this procedure when carrying out risk assessment: Read more about risk assessment.

The risk management process involves the following elements:

System classification (if the information asset is an IT system), which, based on various parameters, shows whether a system has a criticality that requires a risk assessment.
Risk assessment provides an overview of the risks and threats that could affect your unit’s most sensitive and confidential information or assets.
The results of the risk assessment are presented to management, who decide on a course of action.
The action plan depends on management’s risk acceptance and possible actions; whether they will accept the risk or implement measures that lower the risk.

4. Follow-up and optimisation

Question guide:

How do you follow up on activities?
How often do you follow up?
How did it go?
What risks should be presented to your management?
What can you do better?

A risk-based approach requires you to be aware that risks change, which means regular follow-ups are necessary.

The frequency of follow-ups can vary, but at a minimum, management should follow up on specific activities in the action plan and activities in the local ISMS once a year.

Following up on the status of the action plan measures might take the form of an item on the agenda at a management meeting or through the establishment of a local information security committee in the unit. There are no formal requirements for follow-up, but it must be possible to track and document progress.

Examples of questions to address when following up on information security status:

Have any new assets or risks been identified that could have an impact on information security?
What is the status of ongoing information security initiatives or activities?
Have there been any incidents that give rise to changes in the threat landscape or that indicate a need to update risk assessment and management?
What new initiatives can we implement?
How can we improve our work with information security and the activities related to information security?
Is the local ISMS working as intended or do we need to make adjustments? If so, what adjustments?
What kinds of issues should be reported to management and how?
Are there relevant legal requirements or other formal requirements from partners that need to be taken into account?

Tools

Here you can download graphical tools with questions that can help you when setting up your local Information Security Management System. We recommend that you start by thinking through each of the four phases and then work through them from step 1 to 3.

Considerations for the four phases

Step 2: Identify areas for improvement

Step 1: Get an overview of your information assets

Step 3: Follow-up

Annual review

When the local ISMS is established, it’s a good idea to structure work associated with it as an annual planning cycle based on the phases Plan-Do-Check-Act.

PLAN: Development and maintenance of the fundamental documents.
DO: Implementation and operation in practice.
CHECK: Evaluation and documentation of activities and information security measures, as well as identification of possible improvements.
ACT: New initiatives and ongoing improvements.

The lists below are primarily targeted at units that need to be certified, but can be used as inpiration for implementing Annual review..

Got questions?

We can help you by facilitating a workshop on ISMS.

Revised 27.10.2025

Informationssikkerhed