The fact that there is an urgent need for action to improve IT security has not only been known in Germany and many European countries since the GDPR came into force, which places significantly higher demands on the previous technical and organisational measures in the company itself.
A positive aspect is that the awareness for the topic of data protection and the understanding for one's own responsibility in the processing of data has once again increased significantly since then. Moreover many companies have tackled their data protection homework. Some have appointed data protection officers for the first time, others have drawn up processing directories and others have considerably revised their data protection declarations.
The non-uniform state of the art in IT security is due to the fact that neither national nor European legislators have provided precise technical requirements and evaluation criteria, nor methodological support. This is now set to change.
The IT Security Association Germany, short TeleTrusT, has prepared a document with concrete recommendations for action and published an English version in cooperation with the European Union Agency for Network and Information Security (ENISA).
The handbook is intended to help companies, vendors and service providers to determine their IT security status and offers information and recommendations, e.g. on the encryption of e-mails, the use of VPN, cloud-based data exchange, etc. The handbook is available in German and English.
You will find an overview of all the principles of the manual that will help you to implement the legal requirements in practice at the following link: