IT – in a secure way!

Secu­rity for inter­nal and exter­nal infor­ma­tion is an essen­tial part of IP Dynam­ics’ cor­po­rate cul­ture. The com­pany has estab­lished a com­pre­hen­sive Infor­ma­tion Secu­rity Man­age­ment Sys­tem (ISMS) to ensure the avail­abil­ity, con­fi­den­tial­ity and integrity of cus­tomer and oper­a­tional data. IP Dynam­ics’ ISMS was cer­ti­fied in August 2021 by the inde­pen­dent Deutsche Gesellschaft zur Zer­ti­fizierung von Man­age­mentsys­te­men (DQS) in accor­dance with the inter­na­tional stan­dard ISO 27001.

In addi­tion to the cer­ti­fi­ca­tion accord­ing to ISO 27001, the cer­ti­fi­ca­tion accord­ing to ISO 9001, which has existed since 2018, was also con­firmed by DQS dur­ing the audit.

Hart­mut Junge, Infor­ma­tion Secu­rity and Qual­ity Man­age­ment Offi­cer at IP Dynam­ics, looks back on the cer­ti­fi­ca­tion process and explains why con­tin­u­ous infor­ma­tion and data secu­rity is indis­pens­able for the com­pany.

Why was ISO 27001 cer­ti­fi­ca­tion so impor­tant for IP Dynam­ics?

Hart­mut Junge: IP Dynam­ics has already been work­ing with a qual­ity man­age­ment sys­tem accord­ing to ISO 9001 since 2018. There were two main rea­sons for the addi­tional cer­ti­fi­ca­tion accord­ing to ISO 27001: On the one hand, we rec­og­nized that reli­able infor­ma­tion secu­rity can only be guar­an­teed in the long run by a trans­par­ent and well con­trol­lable man­age­ment sys­tem. On the other hand, we want to meet the high secu­rity demands of our cus­tomers. Cer­ti­fi­ca­tion to an inter­na­tional stan­dard by an exter­nal ser­vice provider shows our cus­tomers that they can rely on our tech­ni­cal and orga­ni­za­tional mea­sures and the agreed ser­vice qual­ity at all times.

What does the term “infor­ma­tion secu­rity” mean and what is the dif­fer­ence to data pro­tec­tion?

Hart­mut Junge: Data pro­tec­tion focuses on the pro­tec­tion of per­sonal data, mean­ing data of nat­ural per­sons. Infor­ma­tion secu­rity, on the other hand, is more exten­sive: Infor­ma­tion, in gen­eral, con­sists of exist­ing knowl­edge. This knowl­edge may exist elec­tron­i­cally – in the form of data – or it may be writ­ten on a paper doc­u­ment, or it may exist only in the minds of peo­ple. Through infor­ma­tion secu­rity man­age­ment, we ensure that this knowl­edge is avail­able when needed, in a use­able form and for autho­rized per­sons only.

How has the intro­duc­tion of the ISMS changed every­day work­ing life at IP Dynam­ics?

Hart­mut Junge: Han­dling data – espe­cially cus­tomer data – has been our daily busi­ness for more than 15 years, which is why we already had a very high level of tech­ni­cal secu­rity before cer­ti­fi­ca­tion. Orga­ni­za­tion­ally, we were able to expand on the exist­ing process world.
To meet the require­ments of ISO 27001, how­ever, we had to elab­o­rate our for­mal basis. For exam­ple, we have for­mal­ized the man­age­ment of infor­ma­tion secu­rity risks to a greater extent and doc­u­mented many of the proven and already prac­ticed pro­ce­dures in offi­cial guide­lines. In gen­eral, there are now more busi­ness cases for which bind­ing guide­lines exist. The expan­sion of the rules doc­u­mented in writ­ing pro­vides our col­leagues with reli­able guid­ance in their day-​to-​day work.
And, of course, my role of infor­ma­tion secu­rity offi­cer is also new.

Were there any par­tic­u­lar chal­lenges?

Hart­mut Junge: The numer­ous new guide­lines and processes ini­tially caused some uncer­tainty among a few col­leagues. Some feared that we were act­ing too bureau­crat­i­cally as a com­pany and were los­ing the flex­i­bil­ity that our cus­tomers expected. How­ever, we were able to over­come these con­cerns through tar­geted train­ing and indi­vid­ual dis­cus­sions. In the mean­time, both man­age­ment sys­tems, qual­ity and infor­ma­tion secu­rity, are uni­ver­sally sup­ported in the com­pany.
Both “polit­i­cally” and tech­ni­cally, the han­dling of What­sApp on the company’s smart­phones was a much-​discussed topic. In the end, how­ever, we found a con­vinc­ing solu­tion that com­plies with data pro­tec­tion reg­u­la­tions and is user-​friendly.

How did the cer­ti­fi­ca­tion go and what con­clu­sion do you per­son­ally draw from it?

Hart­mut Junge: Three loca­tions, eight work­ing days, two audi­tors who were as friendly as they were con­sci­en­tious with what felt like 27001 ques­tions – the com­pany was very thor­oughly screened. In the end, how­ever, the solid prepa­ra­tion paid off.
All in all, it was a chal­leng­ing and inter­est­ing task to obtain the 27001 cer­tifi­cate. Now my col­leagues and I have to ensure that the infor­ma­tion secu­rity mea­sures remain appro­pri­ate and effec­tive. That’s why I’m already prepar­ing for inter­nal audits, which we will use as a basis for reg­u­lar reviews.