Why we are aiming for IEC27001 certification by the end of the year

red padlock on black computer keyboard

As a software service provider, you are surrounded daily by a great deal of confidential information and data that customers entrust to us. This involves content, messages, but also personal data with a particularly sensitive nature.

Responsible handling of this data is more important than ever, because the aspects of confidentiality, availability and integrity are becoming increasingly important in this context for us, but also for many customers.

With ISO 27001 certification, we can objectively and credibly demonstrate the effectiveness of our security processes and measures. This globally recognized standard defines the requirements for the introduction, implementation, documentation and improvement of an ISMS (more on this below).

The ISO27001 standard

The international standard ISO/IEC 27001 (more here) specifies the requirements for establishing, implementing, maintaining and continuously improving a documented information security management system, taking into account the context of an organization. In addition, the standard includes requirements for assessing and addressing information security risks according to the individual needs of the organization. The standard has also been published as a DIN standard and is part of the ISO/IEC 2700x family.

The standard specifies requirements for the implementation of appropriate security mechanisms, which are to be integrated into the circumstances of individual organizations. The German part of this international standardization project is managed by DIN NIA-01-27 IT Security Procedures.

Introduction and improvement of the ISMS

A central aspect is the introduction of a comprehensive ISMS. A so-called information security management system (ISMS) supports us in closing weak points within our structures and minimizing security risks. ISO 27001 defines the criteria for the structure, introduction, operation, monitoring and continuous improvement of a documented ISMS.

A central aspect is the introduction of a comprehensive ISMS. An information security management system (ISMS) helps us to close weak points within our structures and minimize security risks. ISO 27001 defines the criteria for setting up, implementing, operating, monitoring and continuously improving a documented ISMS.

Including legal, regulatory and contractual regulations, ISO 27001 defines all requirements for the structure, introduction, implementation, operational monitoring and documentation of our ISMS. Existing risks for your company are identified, analyzed and eliminated by qualified measures. In addition to hacker attacks, this also applies to other disruptions that lead to unplanned interruptions of processes or even paralyze business operations.

More than just IT

ISO 27001 is not limited to IT processes, but also takes into account aspects of infrastructure such as organization, personnel and buildings. Much of this is already transparently and comprehensively outlined today in our Technical and Organizational Measures document (see here for more), but we believe that external certification always provides a good, additional step towards trust.

Above all, the Plan-Do-Check-Act model on which ISO 27001 is based also guarantees continuous improvement. It is not about a one-time inventory, but about a continuous level, which is repeatedly sharpened and also repeatedly checked by external auditors.

External certification audit

Since the beginning of 2022, we have been working intensively on the certification requirements. A dedicated team reviews processes, optimizes technical structures, develops and writes documentation and specifications, and coordinates internal communication towards the workforce. Ultimately, it is always a matter of training and sensitizing all employees to these requirements.

We are on the right track and are very confident that we will have passed the certification by an external auditor by the end of the year. But how exactly does such an audit work?

First of all, there is an internal audit, also by an expert. An internal ISO 27001 audit is to be understood as a self-audit of the information security management system. In this context, the ISMS audit pursues the goal of uncovering non-conformities with the requirements of the ISO IEC 27001 standard early enough. The standard for information security management also requires the regular implementation of internal audits.

Audit executionThe actual audit execution begins with an opening meeting. During this meeting, the auditor presents the audit plan. In addition, any necessary changes can be discussed at short notice. During the audit itself, information is collected. The auditor uses various methods to do this:

  • Examination of documents
  • Observation or on-site inspection
  • Discussions with employees

As part of the follow-up to the audit, the auditor prepares an audit report. The auditor then distributes the report to the audited area. Often, improvements are requested, which then have to be implemented promptly.

At the end of a long road, the entire audit process ensures that everything is first checked internally and then externally, scrutinized and certified at the end.

Naturally, we keep all customers and interested parties informed about the process and conclusion. The audit report as well as all underlying documentation is disclosed and available for review. We are always open to questions or comments.

Please feel free to get in touch with your contact person at any time.