Since the beginning of 2020 mgm technology partners is ISO 27001 certified. The standard confirms a functioning information security management system (ISMS), the implementation of which is anything but a side task. The core team of planning and implementation, which is still active, reports from practice.
In discussion (conducted June 2020): Hartwig (Hardy) Schneider (project management), Janina Huber (project management) and Marcel Faber (IT management) – more information about the discussion partners here. A news about the ISO 27001 certification can be found here.
ISO 27001 and ISMS in detail
Perhaps a short introduction: What is this ISO 27001 standard actually? And what is behind ISMS?
Where are there things that could harm a company? This refers to things in connection with information.
Hardy Schneider: ISO 27001, in reality a whole family of standards, assumes that one should not take care of everything, but rather the subject of risks. Where are things that could harm a company? It means things related to information. The system for this is called ISMS, an Information Security Management System. The system should therefore deal with the risks that exist in companies when information is lost, when information is distributed incorrectly, i.e. to undesired recipients or even falsified. And the system describes how to deal with the fact that the whole thing doesn’t happen and the measures to be taken if it does happen.
Why did mgm do this, what are the advantages or benefits?
Janina Huber: There are two main reasons. One reason is, that the processes, which have been lived at mgm for a long time, have been documented and recorded. This is now accessible to everyone, and everyone can check it at any time. The second reason is that more and more customers and companies have asked if we are ISO 27001 certified or want to be certified. We have complied with this request. This means that we can also participate in certain tenders that we were not able to take part in before.
This means that we can also participate in certain tenders,
that we couldn’t perceive before.
Hardy: We were actually only able to win a new customer last year because we were able to announce that we were about to receive the certificate. Over the last three years, a clear trend was actually discernible, especially in industries that are monitored by the Federal Financial Supervisory Authority, such as banks or insurance companies.
Marcel, the direct question to you as an IT specialist: Were you pleased when you heard that mgm wants to be certified?
Marcel Faber: I was actually happy about that because I personally am a friend of the fact that things are clearly regulated and that there are certain processes that you should stick to. In retrospect, I’m still glad that we did it. But it was by no means without the nine months we worked on it.
Analog and digital information at a glance
Let’s get in. I assume that ISMS means the information itself, by what means and in what medium it does not matter. Am I right?
Hardy: You are absolutely right. The information includes the notebook, as an example from practical life. You carry that with you and you can accidentally leave it in a train. Just like the digital information that we have in the many systems. So all kinds of knowledge about us as mgm or knowledge about the knowledge of our customers. The medium and the type of representation are completely irrelevant.
But is it possible to get an overview of the wealth of information in an organization, both analog and digital?
It is never a hundred percent solution. Nor, incidentally, is this expected of any of these security management systems.
Hardy: No. We cannot look into the brains of every employee. And we can’t look into every corner of the files to see if we’ve grazed everything. But of course it can be categorized. It’s never a hundred percent solution. And none of these security management systems are expected to do that either. It’s expected to cover as many of the potential risks as possible. You should have thought them out and planned measures.
How do I have to imagine how you have proceeded, how did you set up the project?
Hardy: At first there were also some reservations in our management. “Does this even fit with mgm?” Or: “This is all bureaucracy, nothing has ever happened here before.” So we had to deal with it a bit and see how much internal and external effort was involved. In the end, we decided to structure the project, defined a core team and then started with starting workshops. Always under the constant supervision of our external consultant. He played an essential role. I wouldn’t recommend any company to simply start off on its own.
How many colleagues did you ultimately have to organize, Janina?
Janina: That depended on the topic. The core team was actually always Hardy, Marcel and me. Marcel of course passed on some topics to his team, and we also passed on some topics to the projects. And we always had people from the three large department teams who supported us. The three of us worked more closely together with about ten people and I guess that they passed on the tasks to at least five to ten other people.
It was actually already the main part of my work. You can’t do it on the side.
Was it the main part of the daily business for you, Marcel, during this time?
Marcel: It was actually already the main part of my work. You can’t take part in it like that. So some of the topics you still have are already suffering.
Did you have to change a lot of the IT infrastructure for the whole organization?
Marcel: There were bigger things we had to change. There are also still some things we have to do. The advantage is that you don’t have to change everything strictly at once. I would call it a learning process. There is an annual re-certification process and a major recertification every three years.
Do you have any special learning from the project?
Janina: A big advantage of mgm was that almost all projects, no matter if internal or customer projects, work with Wiki and Jira and a lot is documented in it. Every ticket is a documentation that we could present to the auditors. They gave us very, very high marks for this, and we didn’t have to change anything. This is certainly a fundamental problem in other companies. It is simply not possible for us to provide you with a new notebook without it being documented in a ticket. Or that you can get access to any directory without a ticket.
All employees must follow suit
Has everyone’s awareness been raised yet?
Hardy: I don’t know if they all have. I’m sure about many of them. That’s also what the auditors told us and what they bring back from their practice: You have to constantly re-establish awareness. Otherwise it simply gets lost. Who doesn’t know that from ourselves, we become more careless over time. We therefore need constant repetition and attention. Be it a spontaneously scheduled tour, where we hand out red slips of paper.
Do you already have a plan, ideas and tips on how to maintain this awareness at the locations during the year?
All employees at the certified sites must be trained by us once a year.
Janina: Every new employee at mgm technology partners and security partner is trained on the first day of work. There he or she is shown a set of slides and is pointed out various points he or she has to adhere to. It is mandatory that we do this for everyone. The second point is that all employees at the certified sites must be trained by us once a year. We are in the process of making a video together with the e-learning team and putting up slides for it
This shows that the work is probably not done with the certificate. Would you say that the work is only just beginning or was the certification really the biggest part?
Hardy: The biggest part was to prepare ourselves for what is required in the certification. But no, the work goes on. We have also received a few suggestions for improvement from the auditors in the course of the certification, and we are still working on them. Or we have introduced things, only with or shortly before certification, which now need permanent controls, monitoring and additions. Some processes have become a bit more complex, especially in IT. So the subject is not over.
Is the analogue information or the digital information the bigger problem?
Actually, digital information is usually more powerful and critical in terms of quantity. Monitoring the analog information is more complex.
Hardy: Actually, digital information is usually more powerful and critical in terms of quantity. The monitoring of analog information is more complex. This can only be achieved by random sampling and by repeatedly providing information.
Marcel, for you as the master of digital information, how do you see it?
Marcel: We still have a few open construction sites that we are working on and which we are improving. I think that we will not run out of work or tasks in this area so quickly. I also assume that in future these audits will go more into the technical level. That the auditor says: “Okay, here we have process XY, show me exactly how it works.”
Wouldn’t make sense otherwise, would it?
Marcel: Yes, sure. Right.
After the certificate is before the certificate
So you have some things planned. What are the plans for the organization now?
We will try to formally include the complete locations in Germany in the certification process towards the end of the year.
Hardy: From the very beginning we have dealt with the fact that we do not only want to include the big locations in Germany. In fact, this year we will also include other locations in Germany, where the auditors will then go either on a random basis or completely. In other words, we will try to formally include the complete locations in Germany in the certification process towards the end of the year.
Really all of them?
Hardy: All of them, yes. There are a few small locations, so it might not be worth the trip. But, we really do want to include all of them. And we want to do so with effect from the end of this year, so that they appear on the certificate and not just the three large sites at the moment. We are still uncertain about the consulting partners. Because there, of course, the processes and the work in terms of content are different, which may require different process descriptions.
Then I would say, let’s come to a conclusion. With the request to complete a sentence: ISO 27001 is for me …
Hardy: A further stage of development of mgm on a maturity scale.
Janina: The ISO has been a very nice mgm project for me, in which I enjoyed being a part of. That was very exhausting. But I think that it brought mgm a lot.
Marcel: ISO 27001 is for me a project that showed that mgm already had some processes in place that are quite useful and that were really lived.
That are great closing words. Thank you very much for all the information. We will and surely speak for an update on this topic again.
The discussion partners:
Marcel Faber has been with mgm since 2003 and is responsible for the entire IT area. In this function he was of course part of the core team of the ISO 27001 project.
Janina Huber has been with mgm since 2014 and is a member of the overarching team “Project Management Office”. Accordingly, she was in charge of the ISO project, coordinating the sub-steps and implementations and also implemented some requirements operationally.
Hartwig (Hardy) Schneider is regarded as the driving force behind mgm’s decision to move towards ISO certification. He belongs to mgm since 2003, is in charge of information security and is also data protection officer. Role at “27k”: Project manager.