IT security has been an important aspect of PROSTEP's work since long before the NSA scandal. And in order to underscore this fact, the company is currently undergoing ISO 27001 certification. Dr. Rainer Bugow, head of technology at PROSTEP, explains the benefits of certification to the organization itself and its customers.

Question: Mr. Bugow, why do we actually need an IT security standard? Isn't all this already covered by the quality standards?

Bugow: ISO 27001 contains relatively concrete stipulations as to what a company has to do in order to guarantee information security, for example that it must have a designated person responsible for information security, including IT security, and who is also able to intervene in business operations. The process involves checking how confidential information is handled and whether data protection regulations are observed. In contrast, ISO 9001 only certifies that I adhere to my own processes in the way that I have defined them, but says nothing about whether they are fit for purpose.

Question: PROSTEP expects to be awarded certification in the autumn. What exactly is being certified?

Bugow: That our organization complies with the requirements of the standard, not only in terms of the current level of security of the IT systems and ongoing improvement of their security, but also with regard to the behavior of the staff. For example, when they leave their office, no items containing personal data may be left on the desk. This is less a matter of IT security than it is of the awareness of users. And when customers provide us with confidential or secret information, we have to classify it accordingly and if necessary encrypt it or, if it is in the form of secret paper documents, store it in a separate safe.

Question: So the rules apply not only to the IT systems but also to all aspects of organization, right down to the filing of paper documents? And what about your products?

Bugow: Our products are taken into account insofar as we have a directive for secure development and we have some of our software inspected by external auditors. If we are dealing with a custom solution, a security assessment will always be carried out at the start of development. The software development process is thus also an integral part of certification. We protect our software but we cannot, of course, take responsibility for operation and IT security at the customer.

Question: Why is ISO 27001 certification so important to PROSTEP? Is it a requirement on the part of the customers?

Bugow: That's right. The certification process has shown that we already had very secure procedures in place, but we need to be able to provide evidence of this to our customers. And to do that, we need the certificate.

Question: Is this a requirement that is being expressed primarily by customers from the automotive industry?

Bugow: As a rule, it is the major carmakers that expect it of us. They want to achieve the same level of security when handling confidential data in the supply chain as they do in their own organization. This extends as far as us having to require our suppliers to adhere to appropriate security guidelines. Certification is still relatively rare for a company of our size and is actually only really necessary because we work with such large customers.

Question: So how many German companies are actually certified according to ISO 27001?

Bugow: In 2012/13 there were no more than 600 certified companies in Germany, which is not many compared with some other countries. But this number is likely to have risen considerably since then, because large companies are increasingly requiring their partners to be certified in order to guarantee IT security.

Question: Is the automotive industry particularly strict in this regard, or are other industries also demanding certification?

Bugow: It is primarily the automotive and aerospace industries that are demanding certification. Airbus has similar expectations if a company wants to be a major supplier. Companies from other industries, on the other hand, have not been so quick to adopt this approach. Indeed, they could well benefit from our experience in implementing ISO 27001.

Question: How much effort is involved in the certification process? What changes did you have to make?

Bugow: Because our operations were already well prepared, certification for us was largely a question of completing the many formalities. We had to write more than 20 new security directives. Our very small IT team now has to provide much more detailed documentation of the changes they make to the system settings, for example if they enable a new port on the firewall. It is no longer possible to do things like that informally, as and when they are needed. The reason has to be recorded, and in the event of changes that have a major impact, a second person has to confirm them. We have to be in the position to trace activities without the need to hunt through log files so that we can deal with any emergencies without delay if any security problems should arise.

Question: Who certifies your IT security and how is it checked?

Bugow: There are a number of organizations who are allowed to carry out certification. In our case, it is DQS. Their experts visit us and not only inspect the IT systems but also examine certain organizational workflows. We have to demonstrate that IT security is an integral part of our workaday practice, for example that we make backups, that the backup process works and that we check that it works. And this is what is laid down in our security directives. Or they look at our computers to see whether there is any software installed that is not on the whitelist. Another thing that the experts check is the key management procedures when employees are hired or leave the company.

Question: ISO 27001 was changed in 2013 to make it more rigorous. What were the most important changes?

Bugow: One thing was that the 2013 version deals with risk management in more detail. The intention is that one should be fully aware of risks so that a decision can be made either to take steps to counter the risk or to consciously accept the risk because the potential impact is limited. The potential damage associated with certain risks is therefore classified and a top-level management decision is taken as to whether further security measures need to be put in place or not. One has to accept that it is not possible to completely exclude certain risks, for example those associated with building security in rented premises.

Question: People pose the greatest risk to information security. How have you gone about sensitizing your staff?

Bugow: ISO 27001 requires companies to have a plan for ongoing training and for the instruction of new and existing staff. And that's what we're doing right now. We are currently holding the awareness training courses and are constantly confronting staff with security issues in their day-to-day work. We have to foster an understanding on their part that the need-to-know principle does not imply a lack of trust but rather is there to minimize any vulnerability to attack from the outside.

Question: The risks as regards information security and the associated standards are changing all the time. How often does a company need to repeat the certification process?

Bugow: I hope that the standard will not be changed again in the near future as this always entails significant effort. But following initial certification, there are annual surveillance audits and a new certification audit after three years. And between these audits, we monitor ourselves with regular audits and event-driven audits. The standard requires that we constantly check our IT security. This is where the actual time and costs involved in ISO 27001 certification lie.

Dr. Bugow, thank you very much for this interview 
(the interview was conducted by Michael Wendenburg).