Question: So the rules apply not only to the IT systems but also to all aspects of organization, right down to the filing of paper documents? And what about your products?
Bugow: Our products are taken into account insofar as we have a directive for secure development and we have some of our software inspected by external auditors. If we are dealing with a custom solution, a security assessment will always be carried out at the start of development. The software development process is thus also an integral part of certification. We protect our software but we cannot, of course, take responsibility for operation and IT security at the customer.
Question: Why is ISO 27001 certification so important to PROSTEP? Is it a requirement on the part of the customers?
Bugow: That's right. The certification process has shown that we already had very secure procedures in place, but we need to be able to provide evidence of this to our customers. And to do that, we need the certificate.
Question: Is this a requirement that is being expressed primarily by customers from the automotive industry?
Bugow: As a rule, it is the major carmakers that expect it of us. They want to achieve the same level of security when handling confidential data in the supply chain as they do in their own organization. This extends as far as us having to require our suppliers to adhere to appropriate security guidelines. Certification is still relatively rare for a company of our size and is actually only really necessary because we work with such large customers.
Question: So how many German companies are actually certified according to ISO 27001?
Bugow: In 2012/13 there were no more than 600 certified companies in Germany, which is not many compared with some other countries. But this number is likely to have risen considerably since then, because large companies are increasingly requiring their partners to be certified in order to guarantee IT security.