A robust ISMS – PROMOS receives recommendation for certification in accordance with ISO/EN 27001:2013
What does ISO 27001 mean?
The internationally recognised ISO 27001 standard certifies compliance with guidelines for the establishment, implementation, maintenance and continuous improvement of a documented Information Security Management System (ISMS). The aim of this is to eliminate potential weak points in the company and to minimise security risks. Certification according to the globally recognised ISO standard demonstrates the effectiveness of the established ISMS, taking into account the operational context. Companies certified according to ISO 27001 guarantee in particular the confidentiality and integrity of data as well as the availability of IT processes and systems.
In a multi-stage process, TÜV Rheinland reviewed the ISM system that had been set up at PROMOS over the past two years and the result was a clear recommendation for certification!
The multi-year development of an effective ISM system
In 2021, Volker Schulz, Chief Information Officer, together with a team of experts and with the support of the consulting firm HiSolutions AG, started to build an ISMS at PROMOS. Using a meticulous approach, the various necessary processes were developed, established and documented. The areas where action was still needed were identified and the necessary structures were created. In an ongoing process, a review was carried out to determine which further measures needed to be taken in order to create a reliable ISMS. Looking back, Schulz explains: ‘‘We are very satisfied with the decision we took back then to take our time with the development of an ISMS and to conscientiously and comprehensively adapt the structures and workflows of the company to the requirements of an ISMS. This approach was also acknowledged by TÜV-Rheinland as very positive’’.
ISO 27001 – Put through its paces
Viktoria Sorgalla, Information Security Officer at PROMOS, successfully navigated the auditing process. It was her job to answer the auditors' questions conscientiously, to provide evidence of structures, documents and insights into the systems and conditions on the ground. She sees the advantages of certification above all in the added value for our customers: ‘‘With the defined processes, we are creating operational security in the company and establishing standards that are enormously important for the satisfaction and security of our customers. Thanks to this international standard, companies all over the world can rely on the fact that our systems as well as their data are safe with us’’.
The auditing process took place in two stages. In the first phase, intensive checks were carried out to ensure that all required documents and workflows were available and complied with. The second stage focused on a comprehensive set of security and protection measures. These are recorded in Annex A of ISO 27001 and are designed to strengthen information security. Over the course of several days, the TÜV Rheinland inspectors gained a comprehensive picture of the standards at PROMOS. This essentially included a review of the ISMS manual, but also items such as interviews lasting several hours with Compliance Officer Daniel Rosemeyer, the study of evidence on the subject of network security and a review of compliance with the guideline for secure software development.
Auditing by TÜV Rheinland – An interim result
CIO Schulz and Information Security Officer Sorgalla look back on their work with pride: ‘‘The auditors were thoroughly satisfied with the ISMS set up by PROMOS and could not find any non-conformities’’. Sorgalla adds: ‘‘They even assured us in the discussions that we had set the bar very high for an initial certification’’.
What does this mean for the certification process? PROMOS has received the recommendation for certification from the examiners. In the next steps, the audit report will now be thoroughly checked again by the certification body for compliance with the standard, completeness and the correct performance of the audit. Schulz comments: ‘‘The final result is expected in one to two months. Based on the recommendation we received and the discussions we had, we are very confident about the final decision by the TÜV Rheinland staff’’. He adds: ‘‘For our customers, the establishment of our ISMS once again demonstrates the high quality of our handling of the data entrusted to us and our IT infrastructure. With the certification, this is no longer just a subjective feeling, but a verified fact. With the prospective certification, we are also taking an important step in our growing activities on the international scene”. In the future, too, PROMOS will be continually engaged in the topic of IT security. It is an ongoing process where companies must constantly improve to meet the latest security standards.