Lessons learned from ISO 27001 - a case study of ENTERBRAIN Software

CONTENT

• An ISO 27001 case study - ENTERBRAIN relies on certification
• Positive practical experiences with ISO 27001
• Information security as the foundation for success and trust
• Interview with Christian Körner
• Future plans and ISO 27001:2022
• ISO 27001 lessons learned at ENTERBRAIN - Conclusion

An ISO 27001 case study - ENTERBRAIN relies on certification

Based in Offenbach, Germany, ENTERBRAIN Software GmbH is one of the leading fundraising software providers in Europe. The organization's software solutions support non-profit organizations in managing their donations and members. Among other things, these software solutions are used to manage personal data and payment details. The protection of this confidential information as well as its integrity and availability are top priorities for the software provider and its customers - also with regard to legal aspects.

The information security management system, which has been certified in accordance with ISO 27001 since 2019, provides a comprehensive practical framework for this. It ensures the confidentiality, integrity and availability of information - the three protection goals of information security. The established management system defines binding processes, roles and authorizations and systematically reduces information security risks, while at the same time creating trust with customers and business partners.

Positive practical experiences with ISO 27001

Thanks to the active use of the management system and the associated continuous analysis and evaluation of threats, ENTERBRAIN is very well positioned in the area of information security and data protection. There is comprehensive documentation of all objects of protection in the company. In addition to this, applicable guidelines, technical instructions and organizational rules are defined to close security gaps.

The systematic approach creates good transparency about the threats and processes required to close security gaps. Regular awareness training courses sensitize all employees in the company to the enormous importance of information security.

In practice, the management system for information security has already proven its worth many times over. Especially thanks to the regular employee training. In 2020, for example, the spread of a new version of the Emotet* virus was prevented in the organization.

* Emotet = family of computer malware (macro viruses) that are sent by email

Thanks to the early detection of the threat by a service employee, the worst was averted. The new virus variant was not detected by any virus scanner software solution available on the market at the time.

During the incident, ENTERBRAIN received an infected email from a customer, which was initially opened by the employee, who reported the incident immediately. As a result, the emergency team was activated and the incident was dealt with in accordance with the company's security emergency manual. Thanks to the employee's quick and conscientious reaction, the affected computer was isolated and the virus was prevented from spreading in the internal network. An IT forensics company was called in to additionally investigate the virus variant and the network and provide support.

Information security as the foundation for success and trust

For the fundraising software provider and its customers, compliance with regulations is an essential part of business activity. Compliance with data protection and the compliant behavior of all company employees are the basis for trusting cooperation with customers and partners. Due to these requirements, the company is certified in accordance with the internationally recognized ISO 27001 standard for all services offered.

Although full certification for all services is significantly more complex than certification for a single business unit, the higher level of information security pays off for the company. On the one hand, this means that information security management with all its benefits is in place for all business units, and on the other hand, ENTERBRAIN enjoys a competitive advantage over other market players that do not have ISO 27001 certification.

In addition, the topic of compliance is generally gaining in importance, so that many organizations also have requirements for cooperation with an ISO 27001-certified company.

The transparency gained provides the company with an excellent starting point for process optimization to increase customer satisfaction and efficiency within the company. Business-critical processes and areas are also clearly defined and can be made more secure through targeted risk minimization.

Interview with Christian Körner

Head of Operations at ENTERBRAIN Software GmbH

The benefits of an information security management system are one thing. However, for its certification and the associated annual surveillance audits, companies are dependent on cooperation with an accredited certification body. In this interview, Christian Körner talks about his experiences with ISO 27001.

DQS: Mr. Körner, you started out in information security with a system developed specifically for SMEs. When it came to switching to the ISO 27001 standard, a comprehensive upgrade was required - would this approach still be recommended today in view of the massive cyber threat to which SMEs in particular are exposed?

Christian Körner: ENTERBRAIN placed major focus on information security at a very early stage and thus took on a pioneering role. In our industry, information security is the foundation for success and trust. In the course of the accelerated digital transformation, the topic is becoming increasingly important.

Based on our practical experience and the increased cyber threats, we now recommend starting directly with ISO 27001 certification. The valuable thing about the certification process is the discovery of any security risks that can be closed or at least minimized thanks to the transparency gained. This contributes significantly to information security in the company.

DQS: With ISO 27001, you have laid the foundation for a recognized management system - can you still remember the first certification audit with DQS?

Christian Körner : During our first ISO 27001 audit in 2019, everyone in the company was pretty tense. Although we already had experience from the certifications of our first information security management system at the time, ISO 27001 was in a class of its own.

With hindsight, we have to smile a little when we think back to the first ISO 27001 certification. On the one hand, we were already very well prepared for the ISO standard back then; on the other hand, we could only benefit from the certification process as a company, as any nonconformity would have transparently shown us potential for improvement.

After all, our goal is to ensure and increase information security. We therefore always welcome information and recommendations for optimizing our processes. For any organization that is not yet certified, I can only recommend this point. ISO 27001 certification should not be based on the desire for a certificate, but on an understanding of the enormous importance of information security in companies today.

DQS: During the subsequent surveillance audits, did you receive any useful and actionable tips from our auditor regarding potential for improvement?

Christian Körner: For us, the surveillance audits are an important part of certification and ongoing optimization, as the direct exchange with the auditor provides valuable information for implementation in practice, which is a great enrichment for us. At the same time, we have benefited from our auditor's comprehensive IT knowledge and understanding of the system over the last few years. In him, we have an experienced sparring partner who has a good understanding of processes and who keeps our company size in mind.

DQS: You have now successfully completed your first recertification, and you will soon be switching to the new version, that is ISO/IEC 27001:2022 - are you already in contact with DQS about this?

Christian Körner: Yes, we have already been in contact with DQS for several months and are preparing for the changeover. We are also in the process of coordinating a possible "Privacy Information Management System" extension.

DQS: Is there anything that DQS could improve in terms of cooperation?

Christian Körner: We are very satisfied with the cooperation. This is largely due to the experienced auditor, who supports us significantly in the continuous improvement of our system with his assessment.

DQS: Mr. Körner, thank you for the nice conversation and good luck with the transition to the new ISO/IEC 27001:2022!

Future plans and ISO 27001:2022

ISO 27001 is an internationally recognized standard for information security that was first published in English in 2005. The standard was revised in 2013 and was one of the first major ISO management system standards to be converted to the then new High Level Structure, which now makes it much easier to integrate into existing ISO management systems. A further revision was carried out in 2022, which focused on adapting the standard to the latest state of information technology.

ENTERBRAIN does not expect any surprises for the changeover to the new ISO 27001:2022, on the contrary: the company welcomes the revision, as the areas of data protection and cyber security in particular will be strengthened.

The company is currently analyzing the new measures and requirements and comparing them with the company-specific processes and circumstances. An evaluation of the interim results will then be carried out to determine the need for implementation - particularly with regard to the 93 controls in Annex A, some of which are new.

ISO 27001 lessons learned at ENTERBRAIN - Conclusion

The implementation of an information security management system in accordance with ISO 27001 has proven to be a decisive step in strengthening the company's security strategy at ENTERBRAIN. The experience gained with ISO 27001 certification underlines the importance of a holistic approach that includes not only technical but also organizational measures.

The ISO 27001 certification not only improved the security infrastructure, but also significantly increased the trust of its customers and partners. Employees were made more aware of the importance of information security, which led to a culture of security throughout the company. Although the implementation was associated with challenges, the positive effects clearly outweigh the negative ones.

The conclusion from the experience with ISO 27001 is clear: certification is more than just a certificate - it is a continuous process that makes the company more resilient to threats and offers a clear competitive advantage.

Expertise and trust

The holistic, neutral view of our experienced auditors on people, processes, systems and results shows how effective your information security management system is and how it is implemented and controlled. It is important to us that you perceive certification in accordance with the ISO standard not as a test, but as an enrichment for your management system.

Our audits provide you with clarity. Our customers see this as an opportunity. For them, the independent auditor's feedback on improvement potential and possible risks is just as valuable as a DQS certificate as proof of their quality capability. To ensure that this remains the case, we pay strict attention to integrity and objectivity - you can read more about this in our audit philosophy.

In the audit, we specifically ask "why" because we want to understand the reasons why you have chosen a particular way of implementation. We focus on potential for improvement and encourage a change of perspective. In this way, you recognize options for action with which you can continuously improve your management system. Take us at our word.

Please note: Our articles are written exclusively by our standards experts for management systems and long-standing auditors. If you have any questions for the author, please contact us. We look forward to talking to you.