Information security management locally

Information security is a shared responsibility! The following section is divided into activities you can use when working with information security locally and based on local information, assets and job functions.

What is the purpose?

The purpose of working on information security locally is:

  • to show the world around us that we at Aarhus University protect our information
  • to show the world that we can be trusted to protect data, providing peace of mind for researchers and collaboration partners in particular
  • to increase awareness of information security locally, and with individuals

Who is responsible for local work on information security?

Managers have overall responsibility for information security in their unit, including activities such as:

  • ensuring compliance with AU's central ISMS in practice locally, and thereby compliance with ISO 27001 requirements.
  • ensuring that the information security policy, the ISMS and underlying policies, procedures, rules of conduct and all other central information concerning information security are communicated, implemented and complied with by all users in the unit, without exception. 
  • developing and implementing (when necessary) local policies and procedures based on a risk assessment.
  • ensuring that all users in the unit have received the right information, training, etc. 
  • local awareness work throughout the year.

The local FISUs (research IT security committees) at AU’s five faculties are knowledgeable, relevant partners in relation to implementation of the local ISMS.

When do you need to implement a local ISMS?

Local efforts on information security can be based on different needs and requirements...

While some units can make do with only a few formal requirements, others will need additional documentation focused on certification that units meet requirements from collaboration partners or the public sector.

In cases where additional measures to improve information security are required, a local ISMS can be implemented at faculty or department level or for individual specific research areas.

Getting started...

Local efforts related to information security can be structured as a Deming Wheel or annual planning cycle that is divided into activities under the various phases of PLAN-DO-CHECK-ACT, which should be re-evaluated annually.

The activities listed are the mandatory activities in ISO27001 and the minimum requirements for theISMS at Aarhus University.

To get off to a good start, we recommend incorporating the following activities:

1) Start with the activities listed in STEP 1

2) Add the activities listed in STEP 2

3) Add the activities listed in STEP 3

It can be a good idea to consider the following first...


  1. Break up activities - even though many of them are interrelated. 
  2. Begin with the most critical assets – the ones that add the most value
  3. Keep it simple – document your work by keeping minutes.
  4. Use existing material as your starting point – check AU's central ISMS