IT — but safe!

The company has established a comprehensive information security management system (ISMS) to ensure the availability, confidentiality, and integrity of customer and operational data. The ISMS from IP Dynamics was certified in August 2021 by the independent German Society for Certification of Management Systems (DQS) in accordance with the international standard ISO 27001.

In addition to ISO 27001 certification, the audit also confirmed the ISO 9001 certification, which has existed since 2018, by DQS.

Hartmut Junge, information security and quality management officer at IP Dynamics, looks back on the certification process and explains why continuous information and data security is essential for the company.

Why was ISO 27001 certification so important for IP Dynamics?

Hartmut Junge: IP Dynamics has been working with an ISO 9001 quality management system since 2018. There were two main reasons for the additional ISO 27001 certification: On the one hand, we recognized that reliable information security can only be guaranteed in the long term through a transparent and easily controlled management system. On the other hand, we want to meet the high safety requirements of our customers. Certification in accordance with an international standard by an external service provider shows our customers that they can rely on our technical and organizational measures as well as on the agreed service quality at any time.

What does IP Dynamics understand by the term “information security” and what is the difference between data protection and data protection?

Hartmut Junge: Data protection focuses on the protection of personal data, i.e. data from natural persons. Information security, on the other hand, is much more broadly defined: Information generally consists of existing knowledge. This knowledge can be available electronically — i.e. in the form of data —, written on a paper document, or only exist in people's heads. Through information security management, we can ensure that this knowledge is only available to authorized persons in a usable form when required.

Was the introduction of the ISMS for IP Dynamics associated with specific changes in everyday working life?

Hartmut Junge: Handling data — particularly customer data — has been our daily bread for over 15 years, which is why there was a very high level of technical security even before certification. Organizationally, we were able to build on the existing process environment.

However, in order to meet the requirements of ISO 27001, we have once again significantly expanded our formal framework. For example, we have more formalized the management of information security risks and have documented many of the tried and tested procedures that have already been followed in official guidelines. In general, there are now more business cases for which binding requirements exist. The extension of the rules, which are documented in writing, provides our colleagues with reliable guidance in everyday working life.
And, of course, my role of information security officer has also emerged anew.

Were there any particular challenges?

Hartmut Junge: The numerous new guidelines and processes initially caused some colleagues some uncertainty. Some have feared that we as a company would act too bureaucratically and lose the flexibility that our customers also want. However, through targeted training and one-on-one meetings, we were able to allay these concerns. Both management systems, i.e. quality and information security, are now widely accepted in the company.

The use of WhatsApp on service smartphones was a much-discussed topic both “politically” and technically. In the end, however, we also found a convincing solution for this that is privacy-compliant and user-friendly.

How did the certification go and what do you personally draw from it?

Hartmut Junge: Three locations, eight working days, two auditors who were as friendly as they were conscientious with what felt like 27001 questions — the company was examined very thoroughly. In the end, however, the thorough preparation paid off.
All in all, it was a challenging and interesting task to obtain the 27001 certificate. My colleagues and I must now ensure that information security measures remain appropriate and effective. That is why I am already preparing for internal audits, on the basis of which we will regularly review exactly that.