In February 2014, the Agency for Digitisation will publish three updated guidelines on information security, which provide advice on how to establish information security management, an information security policy and IT risk management and risk assessment.
Furthermore, the tool for self-evaluation in relation to implementing the ISO 27001 standard was updated with a number of questions about segregation of responsibilities and roles with regard to IT contingency and continuity. The updates also include the addition of elements about data processor agreements, logging, change management and reporting security incidents in relation to supplier management.
ISO standard available for free for all public authorities
In the summer of 2014, the Agency for Digitisation purchased the right of use to the ISO 27001 standard and released it to all government authorities. This made it possible for the individual authorities to receive a copy of the ISO 27001 standard free of charge from the Danish Standards Association for use in their internal work on information security, e.g. as the basis for internal guidelines or for distribution inside their own organisation.
The agreement will run until and including the end of 2015, at which point the Danish Standards Association will be obliged to distribute and maintain the standard. Subsequently, government authorities will still have the right to use the versions of the ISO standard included in the agreement, however the standard will no longer be sent to them free of charge.
Until now, almost 70 government authorities have made use of the option to receive the ISO standard. The Agency for Digitisation expects the number of government authorities to exploit the release of the ISO standard to increase during 2015. Amongst others, this is because the government's strategy for cyber and information security emphasises implementation of the ISO standard as key to efforts to professionalise governmental work with cyber and information security at authority level.
The objective of the ISO standard is to ensure better management of work with information security. Since January 2014, it has been mandatory for all government authorities to follow the standard.