Operators of critical infrastructures (CRITIS) in sectors such as food, health, energy and logistics have until the end of January 2018 to implement state-of-the-art protection for their IT systems, based for example on ISO/IEC 27001. Since secure handling of internal and external data is a top priority for the Circlon | group, they are planning to introduce an ISO/IEC 27001-compliant information security management system (ISMS) at their Cologne site. Their two other sites in Goettingen and Norderstadt are expected to follow suit. Acquiring this certification gives the Circlon | group a key differentiating feature in the marketplace. It demonstrates a high level of IT security combined with great transparency, which customers can have full confidence in.
As part of the pre-certification process, Circlon | pds assembled a team comprising staff from the IT, development, consulting and HR departments. External consultants are also assisting with the preparations, providing valuable outside input. The new measures make IT systems more secure and the risk of compromised data is reduced. They also minimise losses or theft. As a result, all confidential information – especially relating to customers – is better protected. Moreover, IT system availability is increased, software processes run more securely, and organisational procedures are optimised.
Having started work in July 2017, the ISMS team in Cologne have already taken the first steps. For example, they drew up generally applicable procedures such as policies for passwords and access rules. Measures to implement these procedures range from creating a risk management system through to physically securing the facility site and server rooms. In addition, part of the IT infrastructure will be renewed in 2018, especially the Wi-Fi network. Staff training is planned, along with the adoption and implementation of additional policies, and a review of the results.
Primarily, this is about learning from the past: the idea is that all employees should develop a fundamental awareness of the issues, and therefore act with increased caution – e.g. with regard to workplace security, using removable media, and handling their own and especially third-party or unknown files.
It was clear in advance that the ISO/IEC 27001 certification process would be a challenge, requiring investments and tying up resources. On the other hand, it offers a demonstrable benefit for the Circlon | group. It will reduce legal and financing costs, insurance premiums, as well as commercial and liability risks, while enhancing the competitiveness and image of the Circlon | group as a whole.
The standard and its applicability
ISO/IEC 27001 is an international standard for information security. It sets out requirements for planning, supporting, operating and optimising a documented information security management system (ISMS). An ISMS defines rules, processes, measures and tools for managing, controlling, safeguarding and optimising information security. The aim, in part, is to identify and gain better control over the risks caused by the deployed IT systems. In addition to processes for service provision, the planned certification at the Cologne site also covers employees, rooms, buildings and IT infrastructure including internal and external connections as well as physical hosts with servers. Its scope includes the enterprise resource planning (ERP) and the Circlon Operate system, source code administration software, and office communication.