Standard for information security

Since January 2014 all government institutions in Denmark must follow the international standard for Information Security ISO/IEC 27001.

In 2010, the Danish government decided that government institutions must follow the international standard, ISO/IEC 27001, when an update and a translation into danish of the standard had been completed. The update was published in January 2014 therefore ISO/IEC 27001 now has replaced DS 484 as the national standard for information security management.

DS 484 was previously the security standard in government institutions and was based on the international standard ISO/IEC 27002 "Code of practice for information security management", modified to suit Danish conditions. With the introduction of this standard, IT security management in all ministerial areas was structured according to a common concept.

Activities to develop, maintain and inform users about the requirements of the standard are handled by the Ministry of Finance, represented by the Agency for Digitisation, in collaboration with other authorities in the public sector. In addition, the Agency for Digitisation is in charge of developing tools, templates, seminars and workshops to support implementation and maintenance of the standard. However, it is the task and responsibility of each individual institution to organise security work in their own organisation.

Security Forum

To support collaboration about information security across the government sector, the Government IT Council has established the Government Information Security Forum (GISF), in which about 30 government institutions participate. The Forum meets 4-6 times a year and is charged with the following tasks: 

  • to contribute to exchanging experience about the use of the standard, 
  • to follow the general development of information security management by public authorities, and propose joint initiatives that may strengthen information security, 
  • to determine the best practice and make proposals on how to improve paradigms and the activities carried out by the Agency for Digitisation,
  • starting from the tasks and purposes above, to support professional coordination between authorities and contribute to achieving agreement about the requirements for information security in the public sector.

The Agency for Digitisation holds the chairmanship of GISF and provides secretarial assistance. The present portal is operated by the Secretariat and aims to contribute to the exchange of experience, distributing information material, creating awareness of courses etc. and supporting administration of the Forum.

History

The decision to introduce DS 484 as a security standard in government institutions was made by the Danish Government on 12 January 2004. That meant that government institutions had three years to implement the standard. The Government decision was made on the basis of a number of recommendations given in a report circulated for public consultation in the summer of 2003.

The decision should be seen in light of the fact that effective IT use in the government sector and realisation of e-government are conditional on factors such as increased coordination and coherence between the IT systems of public authorities, thus avoiding unnecessary costs. Another condition is that citizens and businesses should feel secure and confident when using IT for communication with the public sector.

To follow the implementation of the common government IT security standard, the Government IT Council in March 2004 appointed a working group with the aim of promoting knowledge sharing about IT security and IT security issues in the government sector. The Ministry of Science, Technology and Innovation held the chairmanship and provided secretarial assistance to the working group.