When the NIS2 directive came into force, it became necessary for the clinic to implement information security systematically, comprehensibly and organization-wide. Although individual security measures were in place at the start of the project, they were not uniformly documented, evaluated or integrated into an overarching management system.
The organization is characterized by several locations and specialist departments. Security-relevant processes – for example in identity and authorisation management, in the handling of sensitive information or in organizational responsibilities – had grown historically and were not harmonized across the board. There was no consolidated view of risks, protection requirements and dependencies.
There was also uncertainty as to which measures are absolutely necessary, how technical and organizational requirements interact in a meaningful way and how information security can be permanently anchored in ongoing operations. The aim of the project was therefore to reduce risks in a targeted manner, create transparency and establish a reliable basis for NIS2 compliance and ISO/IEC 27001 certification.
At the start of the project, a structured process model was defined that holistically combines regulatory requirements, organizational processes and technical security measures. The aim was to establish information security in a practical manner, reduce risks in a targeted manner and establish sustainable structures in ongoing operations.
To begin with, a comprehensive gap analysis was carried out, bringing together technical, organizational and regulatory requirements from ISO/IEC 27001 and NIS2. Existing measures, responsibilities and documentation were evaluated and deviations from the target status were recorded in a structured manner.
Based on the initial analysis, security-relevant processes were recorded in all departments involved. Real processes, responsibilities and data flows were recorded in interviews and structured surveys in order to derive practical and department-specific protection requirements.
In addition to the normative analysis, the BSI IT baseline protection was used. This made it possible to identify additional risks that go beyond the minimum requirements, such as organizational, physical or environmental risks. This enabled a well-founded prioritization of further measures.
Based on the gaps, processes and risks identified, the necessary technical and organizational measures were implemented in a targeted manner. These included the optimization of identity and access concepts, the implementation of secure authentication mechanisms and the protection of sensitive data and end devices in the Microsoft 365 environment.
Finally, all departments involved checked whether the defined measures had been fully implemented and effectively established. Identified deviations were rectified so that organizational and technical security requirements are consistently met.
Your decision would be the same as that of renowned companies:
