810
·
06/05/2024
About PROMOS
Stable systems and protection against cyber attacks – even more security for PROMOS customers thanks to ISO 27001 certification
At the turn of the year 2023/2024, PROMOS reached a significant milestone when it achieved ISO 27001 certification, an internationally recognised standard for information security. For a deeper insight into the certification process, we conducted an interview with PROMOS’ Information Security Officer (ISO), Viktoria Sorgalla. She is an experienced expert in the field of information security and played a key role in setting up the Information Security Management System (ISMS). In the interview, Sorgalla explains how the certified security standard from PROMOS offers customers greater stability and reliability. She also gives us exclusive insights into the certification process and explains why work on a good ISMS is never finished.
IT&I: Ms Sorgalla, can you explain to us what ISO 27001 certification is all about and why it is particularly important for customers?
Viktoria Sorgalla: Of course. ISO 27001 is an internationally recognised standard for information security management systems (ISMS). With this certification, we are demonstrating that we take reliable and standardised safety measures. For our customers, this means that they can rely on a controlled and constantly increasing level of security. The certification is not just a status quo. It shows that we are committed to continuously improving our processes and infrastructure and to documenting and verifying this in regular audits.
IT&I: To what extent can customers benefit from these security measures?
Sorgalla: Put simply, your systems are optimally protected with us. With our processes and measures, we reduce the risks of cyber attacks and thus increase the availability of your systems. And there is another important aspect behind this. Companies affected by cyber attacks had to pay an average ransom of almost USD 280,000 in 2022. So it really does pay to focus on a high level of security.
Apart from this, we also offer our customers tailor-made security measures if required. These personalised measures build on the already very high standards that we offer.
IT&I: What role does continuous improvement play in the context of ISO 27001?
Sorgalla: A central component of ISO 27001 is the obligation to continuously improve the ISMS. This means that we continuously evaluate and improve our security processes and guidelines in order to keep pace with changing threats and increasing technical complexity. This also includes internal training and awareness campaigns to ensure that our employees are always up to date.
IT&I: You took a lot of time to set up the ISMS and proceeded very carefully. The auditors also commented favourably on this. Can you describe the set-up? What specifically needed to be changed and what issues needed to be tackled?
Sorgalla: We started to set up an ISMS around three years ago in collaboration with our specialised service provider HiSolutions. The measures cover almost all areas of PROMOS. On the one hand, they relate to important investments in our hardware. On the other hand, guidelines and processes had to be created and implemented. This includes a new guideline for secure software development, which our programmers must adhere to. This enables us to improve the quality of our products, which in turn benefits our customers. We have also established a change management process. This means that adjustments to the systems, such as SAP® transports, must first go through a review process and be approved by a committee before going live.
Figure 1: Analyses from recent years show that stolen data is a lucrative business.
 Figure 1: Analyses from recent years show that stolen data is a lucrative business. |
IT&I: You say that the creation of an ISMS affected or affects the entire company. How have PROMOS employees reacted to the changes?
Sorgalla: Our employees are a decisive factor in our ISMS. It’s only thanks to their cooperation, vigilance and sensitivity to security incidents that we can maintain the level of quality that goes hand in hand with the requirements of ISO 27001. We were aware of this right from the start. That’s why we started the project with a small awareness campaign right at the beginning. Employees received small cryptonisers in the post from us for secure password creation. We also produced door signs for our offices with security instructions and provided special lock screens.
Of course, that was just a taster to kick things off. We train our employees annually. We also have a special channel in MS Teams where we provide information about current incidents and communicate the publication of processes or guidelines. This way of dealing with MS Teams was new even for our auditors and was very favourably received.
IT&I: What is the nature of such an audit? And how is the cooperation with the auditors and their feedback organised?
Sorgalla: We had three audit phases before the final certification. The last one lasted five days at three locations – Berlin, Kassel and Leipzig – with a total of three examiners. Such audit days are very structured and intensive. They usually begin with an opening meeting, followed by various review meetings and site inspections. The audits are not limited to checking compliance with the standard, but also include an assessment of the effectiveness of the measures implemented. These are days full of discussions, presentations and detailed analyses of our processes and guidelines. For example, our Compliance Officer answered the auditors’ questions for almost four hours instead of the scheduled two. The auditors tried to find points that had not been implemented. But he was able to put forward excellent arguments. In the end, the auditors were very impressed by the high quality that we were able to demonstrate in this initial certification.
IT&I: PROMOS is now officially ISO 27001 certified. What further steps are planned to maintain or improve the safety standard?
Sorgalla: As already mentioned, the continuous development of our ISMS is part of the commitment we make with the certification. In addition to regularly reviewing and adapting our security measures, we are planning further awareness measures and training for our employees. The aim is to continuously raise awareness of safety risks and further strengthen the safety culture within our company. At the same time, we also have to look at external factors.
IT&I: Are there any new legal or economic developments that we need to keep an eye on?
Sorgalla: AI is a good example here. This new technology also brings new challenges for us. We have just concluded data processing agreements (DPAs) with a suitable company in order to guarantee the security of the data here too. We always keep a watchful eye on this. Our CIO, Volker Schulz, and I discuss this regularly and review various issues. We are also currently certified in accordance with ISO 27001:2013 by TÜV Rheinland. When we are recertified in two years' time, the new standard from 2023 will already apply to us. There will also be some new points. So it remains exciting!
IT&I: That sounds like an interesting challenge. Thank you for the interview!
Sorgalla: A pleasure.
redaktion@openpromos.de
