Security for internal and external information is an essential part of IP Dynamics’ corporate culture. The company has established a comprehensive Information Security Management System (ISMS) to ensure the availability, confidentiality and integrity of customer and operational data. IP Dynamics’ ISMS was certified in August 2021 by the independent Deutsche Gesellschaft zur Zertifizierung von Managementsystemen (DQS) in accordance with the international standard ISO 27001.
In addition to the certification according to ISO 27001, the certification according to ISO 9001, which has existed since 2018, was also confirmed by DQS during the audit.
Hartmut Junge, Information Security and Quality Management Officer at IP Dynamics, looks back on the certification process and explains why continuous information and data security is indispensable for the company.
Why was ISO 27001 certification so important for IP Dynamics?
Hartmut Junge: IP Dynamics has already been working with a quality management system according to ISO 9001 since 2018. There were two main reasons for the additional certification according to ISO 27001: On the one hand, we recognized that reliable information security can only be guaranteed in the long run by a transparent and well controllable management system. On the other hand, we want to meet the high security demands of our customers. Certification to an international standard by an external service provider shows our customers that they can rely on our technical and organizational measures and the agreed service quality at all times.
What does the term “information security” mean and what is the difference to data protection?
Hartmut Junge: Data protection focuses on the protection of personal data, meaning data of natural persons. Information security, on the other hand, is more extensive: Information, in general, consists of existing knowledge. This knowledge may exist electronically – in the form of data – or it may be written on a paper document, or it may exist only in the minds of people. Through information security management, we ensure that this knowledge is available when needed, in a useable form and for authorized persons only.
How has the introduction of the ISMS changed everyday working life at IP Dynamics?
Hartmut Junge: Handling data – especially customer data – has been our daily business for more than 15 years, which is why we already had a very high level of technical security before certification. Organizationally, we were able to expand on the existing process world.
To meet the requirements of ISO 27001, however, we had to elaborate our formal basis. For example, we have formalized the management of information security risks to a greater extent and documented many of the proven and already practiced procedures in official guidelines. In general, there are now more business cases for which binding guidelines exist. The expansion of the rules documented in writing provides our colleagues with reliable guidance in their day-to-day work.
And, of course, my role of information security officer is also new.
Were there any particular challenges?
Hartmut Junge: The numerous new guidelines and processes initially caused some uncertainty among a few colleagues. Some feared that we were acting too bureaucratically as a company and were losing the flexibility that our customers expected. However, we were able to overcome these concerns through targeted training and individual discussions. In the meantime, both management systems, quality and information security, are universally supported in the company.
Both “politically” and technically, the handling of WhatsApp on the company’s smartphones was a much-discussed topic. In the end, however, we found a convincing solution that complies with data protection regulations and is user-friendly.
How did the certification go and what conclusion do you personally draw from it?
Hartmut Junge: Three locations, eight working days, two auditors who were as friendly as they were conscientious with what felt like 27001 questions – the company was very thoroughly screened. In the end, however, the solid preparation paid off.
All in all, it was a challenging and interesting task to obtain the 27001 certificate. Now my colleagues and I have to ensure that the information security measures remain appropriate and effective. That’s why I’m already preparing for internal audits, which we will use as a basis for regular reviews.