It was a huge effort, but it was worth it. With an ISO 27001 certified information security management system (ISMS), Circlon | group in Cologne clarifies that it is investing continuously and to a high degree in the security of information, data and systems. The certification follows a multi-site approach and also involves the Circlon | group ISMS teams in Göttingen and Norderstedt. The effective risk handling based on a risk assessment contributes in asset protection throughout the company, like respect of confidentiality, integrity and availability. Dealing with threats in a standard-compliant way benefits customers and business partners of the Circlon | group
As a result of the ISMS activities, all information is now protected. In addition, IT system availability is increased, software processes are more secure, and organisational procedures will be continuously optimised. Michael Zitzmann, CEO of the Circlon | group, notes: “As a supplier, we have to take our customers’ security policies into account, too. With the ISMS rollout and certification, we are fulfilling our responsibility – transparently and traceably. We are also implementing a continuous improvement process in accordance with ISO 27001 at all of our sites. There will be regular TÜV Rheinland audits to verify its future success.”
After the audit comes the audit
An information security management system is usually implemented in a continuous plan-do-check-act (PDCA) cycle. One year after the initial certification, i.e. in March 2020, TÜV Rheinland will again carry out an audit to check on the practical implementation and continuous improvement of the ISMS. This will determine whether the security level has been increased. For this reason, regular training units with all employees and ongoing self-checks are essential.
The not inconsiderable initial cost of certifying the Cologne site was worthwhile, as the other Circlon | group sites are now benefiting, too. In Göttingen, a “gap analysis” was carried out in January. Their ISMS is currently in the development stage; the measures are expected to come into effect in the third quarter of 2019. In Norderstedt, the ISMS project launched in February. The extension of certification to these sites is planned for the end of 2019.
Bruno Tenhagen (left hand) – Technical Director ICT Services & Auditor ISMS, TÜV Rheinland, Michael Zitzmann (in the middle) – CEO Circlon | group and Christian Höhnisch (right hand) – IT-Auditor, TÜV Rheinland
Security through audited IT infrastructure
Within the Circlon | group, the ISMS is applicable to all processes for service provision, the employees concerned, as well as rooms and buildings. The scope comprises the IT infrastructure including internal and external connections, as well as physical hosts and servers on them. There is a particular focus on the enterprise resource planning (ERP) system, Circlon Operate system, source code administration software, and office communication. For example, a server room separate from the site was set up, an emergency scenario was specified, and electronic classification of documents and e-mails was implemented using Microsoft Azure Information Protection (AIP).
Years of preparations pay off
The ISMS team in Cologne started work in July 2017. In early October 2018, the first test audits were conducted by the ISMS team along with the pre-audit by an external consultant. All information and well over a hundred documents relating to the ISMS are constantly reviewed to check they are still up-to-date and applicable. Most of these are policies and procedures for areas such as access control, handling passwords, mobile devices, encryption and many more. Wherever possible, the required measures are implemented via automated processes.
In January 2019 at the Cologne site, as part of the TÜV Rheinland certification audit, the documents required under ISO 27001 were inspected and the audit plan was produced. Following this plan, the actual audit took place in February, and went smoothly. In March, the result was clear: the Circlon | group in Cologne received its certification. This is also good news for customers and business partners, since it demonstrates that a high degree of information security is reached.
Bruno Tenhagen, security analyst at TÜV Rheinland, commented: “The ISMS team of the Circlon | group in Cologne successfully put the requirements of the standard into practice. The efforts of the Circlon | group paid off: we did not complain about any deviations, only recommendations for improvement. We are pleased to issue our TÜV certificate to the Circlon | group in Cologne, which confirms that it is conform with the requirements of ISO 27001 for information security."
The ISO/IEC 27001 standard
In times of increasing digitalisation, ISO 27001 certification is a way for enterprises to objectively and credibly demonstrate the effectiveness of their ISMS. This internationally recognised standard defines the requirements for planning, implementing, documenting and improving an ISMS.
The Circlon | group protects its confidential data as well as the integrity and availability of its IT systems in this way. Just as the information structure between humans and electronic systems is constantly changing, so the needs, goals and factors influencing an enterprise’s security requirements, processes and structures also change over time.
With the rollout of a certified ISMS, the Circlon | group has achieved its goal of maintaining the security, confidentiality, integrity and availability of information for customers and partners, and demonstrating this in a traceable and transparent way via external audits. This also means “living” and improving the ISMS process (PDCA cycle) on an ongoing basis. The Circlon | group is therefore putting its innovative principles into practice and working towards having all locations certified by TÜV Rheinland by the end of 2019.