Managed security and compliance (ISO 27001, etc.)
We were contacted by a representative of the German automotive industry. They urgently needed to be certified that they comply with ISO 27001 and the ENX Trusted Information Security Assessment Exchange (ENX TISAX®). High competition in the automotive systems market (security, piloting, navigation, entertainment systems, etc.) forces leading car manufacturers and their contractors (Volkswagen-Audi Group, Porsche, Daimler AG, BMW, Bosch, etc.) to rush the launch of new products to market while maintaining the same high levels of quality, safety and security. This is why our client was highly motivated.
Prior to this, the client had tried to fill in ENX TISAX® compliance forms themselves, but a lack of the necessary competencies did not allow them even to begin the implementation process properly.
ENX TISAX® compliance, although based on ISO 27001, has its specifics. For example, unlike an ISO 27001 audit, which can take several days, a ENX TISAX® auditor spends only one day at the customer's office, but then it takes about 3 months to collect the pieces of evidence for each security process. ENX TISAX® audit reporting process implies a high degree of automation using modern GRC (Governance, Risk management, and Compliance) systems.
During the first 3 months after signing the contract with our client, we thoroughly studied their business processes and developed about 50 documents necessary for compliance with ISO 27001 and ENX TISAX®. During the implementation and audit reporting, we used Redmine and Goriscon systems.
It took 6 months of intense collaboration between our consultants and our client's employees from the start of the project until the day they received the ENX TISAX® compliance label. We conducted several training sessions, performed a series of server and application security assessments, strengthened the network security, system life cycle security, implemented risk management, security key performance indicators (KPI), change and incident management processes, etc.
Implemented processes, operations, and security systems must be constantly maintained so as not to lose effectiveness. Therefore our client ordered the ‘Remote Information Security Manager’ service from us. We have continued to conduct regular training sessions with our client, monitor information security events, respond to security incidents, perform quarterly vulnerability scans, audit software source code, report to our customer's auditors and clients, etc. That is, to fully perform the functions of an information security manager.
Improved security was not the only thing out customer got as a result of this project. During the asset management and technical vulnerability assessment, we discovered ineffective use of systems, such as redundant access, configuration errors that reduce network performance, etc. As a side effect of the project, the customer optimized some of their IT operations.
Achieving the official compliance status with ISO 27001 and ENX TISAX® allowed our client to get new, long-term contracts from one of the giants of the German automotive industry.
Learn more about VDA ISA and ENX TISAX®.
A small software company was required by their customers to be certified according to the ISO 27001 standard. Moreover, the certification body had to hold the highest international accreditation level, which is UKAS.
Previously, the company took only superficial measures and performed only occasional works related to information security, and only in the field of server and workstation protection. We immediately began working on the scope analysis, and outlining the work plan of the initial audit and gap analysis. We performed this work for the client for free. After that, the company saw that we were competent in such challenges, and could build realistic plans. Therefore, they signed a contract with us for an audit, gap analysis, and development of an implementation plan. After 3 weeks, we completed this work. The customer was once again convinced that our experience and speed exceeded their expectations.
After that, the customer signed an agreement with us for the implementation of ISO 27001. Six months later, we developed all the controls required by the standard, described them in 18 policies and procedures, implemented several security management registers, and conducted staff training. We paid particular attention to the secure software development life cycle.
Then the question of choosing an independent auditor arose. We recommended one of the largest German auditing firms to our client. We also contacted this auditor, held a discussion with them and prepared them for the certification of our client in advance. The client and the auditors signed an agreement for audit and certification.
During the audit, we defended our client and the information security management system that we had built. The auditors made minor comments, as they usually do. We took these comments into account, made corrections, and 2 weeks later our client received an official certificate of ISO 27001 compliance.
To support the implemented system and renew the certificate annually, the company subscribed to our ‘Virtual CISO’ service.
Our client was pleased with our competency in security process management, so they were also interested if we could provide IT security services. The company ordered the following services from us: application security, source code security analysis and penetration testing of their software products.
The company obtained the certificate stating that they were compliant with ISO 27001 and that they had successfully passed the security assessment. They published the certificate on their website and used it in marketing materials. The company advertised its new status and gained significant competitive advantages, which increased the number of orders and sales.
Learn more about ISO 27001.