After around a year of preparation, planning and implementation, mgm technology partners is now an ISO/IEC-27001-certified company. For this, the key information security risks were identified, protective measures were defined and monitoring processes were drawn up. This also means changes for all employees and will form the basis for further applications and expansions.
One core team, almost a year of development work, support from the management team and other departments, one sentence to sum up all of our hard work: “This is to certify that mgm technology partners GmbH (…) has implemented and maintains an Information Security Management System.” You can read more in the official certificate from audit company DQS, which proves that we comply with the standard ISO/IEC 27001:2013. It’s an important milestone for mgm. “At the start, we had doubts and concerns about the amount of effort required but we’re now convinced that this ISO certification was the right choice for us and is important for mgm,” explains Hamarz Mehmanesh, CEO and founder of mgm. “I’m thrilled that the audit was successful.”
International standard ISO 27001 with focus on individual risk factors
ISO 27001 – referred to as “27k” within mgm – requires companies to concentrate on creating a risk analysis. In this context, the term risks means: where are there areas within an organisation where any kind of damage relating to information could occur? What information could be lost, distributed improperly or falsified? And, most importantly, how can instances like this be prevented and what measures need to be taken if an instance does occur? An information security management system (ISMS) allows auditors to check this and for the process to be regulated transparently within the company. The idea behind ISO 27001 is extremely efficient. Unlike other business standards, this does not require companies to spend time drawing up and documenting defined processes, which may be irrelevant to the actual work.
The ISMS therefore addressed the information itself; the type, medium and storage location are irrelevant.
As a technology company, mgm develops vital enterprise software for medium-sized companies, corporations and the public sector, so information security has always been important to us. The ISMS therefore addressed the information itself; the type, medium and storage location are irrelevant. This means information in the very widest sense – information about mgm and customers, whether this be digital information in systems or in notebooks, which can be left lying around. The standard does not expect a complete solution. It is more about ensuring as many potential risks as possible are covered, including unsafe operating conditions, such as fire, ingress of water and other natural hazards.
The key to success: external specialist advice for all changes
An external specialist at mgm provided support throughout the process in light of the initially unclear information and expected tasks. At the start of the project, a core team and project organisation formed from the security and IT departments, as well as other interdisciplinary divisions. This included direct and fixed project participants from the main customer industries of Insurance, Public Sector and Commerce.
But the changes do not just affect the IT specialists and security experts at mgm. The ISMS cannot work without the compliance and cooperation of all employees. Here are a few examples.
- All new employees at mgm technology partners and mgm security partners receive training on their first day.
- We also have a clean-desk policy in place – notes, records, flip charts and other analogue documents cannot be left lying around and need to be locked away in the evening.
- Special, encrypted USB sticks must be used in instances where these cannot be avoided.
- In the PowerPoint template note, a confidentiality level must be selected and displayed.
- The company wiki contains around 80 documents for all employees with guidelines and daily life info.
One thing was always clear throughout the 27k project. Employees at mgm were already following processes before the ISO certification; it was just the documentation and definition of these that were missing. The ISO core team therefore did not have to invent any processes – in many cases, they just had to write them down or discuss them and tighten them up. As a result, it was a great advantage that internal documentation requirements such as IT orders, access authorizations and onboarding releases have been fulfilled using Jira (ticket system) and Confluence (Wiki) since 2007. What’s more, these tools have also been used for a long time now to record relevant responsibilities, recurring process chains and information exchanged during customer projects with systemic documentation.
ISMS for several sites – with plans for expansion
The plan is to formally include all sites in Germany in the certification by the end of 2020.
The current certificate applies to mgm technology partners at the three largest sites in Germany (Munich, Hamburg and Leipzig) and mgm security partners at the Munich site. The plan is to formally include all sites in Germany in the certification by the end of 2020.
For a bit of context, according to the latest ISO 27001 statistics (as of the end of 2018), there are 1057 valid certificates in Germany (2003 company sites) and 31,910 worldwide (for 59,934 sites).
ISO 27001: obligation to make continuous improvements
Passing the audit is not the end of the project – it’s just the beginning. The process never ends, just like all audits that are meant to endure and be put into practice in an organisation. For this, it is important to constantly raise awareness within the company. At mgm, for example, we are handing out red cards during random spot checks and providing advice about how improvements can be made. What’s more, all mgm employees at the certified sites have to do training once a year on the key regulations and any new developments. There will be mandatory courses for this on the e-learning platform.
The ISO certificate is issued for three years but we can only keep using it if we pass the annual reviews. We are still working on some points from the first audit and documenting this in a transparent manner so that we can improve open issues. These will be checked in the next cycle. The extended core team is working on these and other improvements during their monthly meetings. All those involved know that ISO 27001 is an ongoing task on which we all need to continue working together.
This text is based on a longer discussion with Janina Huber, Hartwig Schneider and Marcel Farber, who form the core team for the implementation of ISO 27001. You can read the interview here.