Establishment of an Information Security Management System (ISMS) within SIEMENS AG
The use of Information Security Management Systems (ISMS) has become a core element of corporate strategies to protect against cyber threats and other security risks. At SIEMENS AG, more and more business units are therefore relying on the international standard ISO/IEC 27001. The Corporate Governance department commissioned TÜV TRUST IT to implement an ISMS in accordance with ISO/IEC 27001, laying an important foundation for information security within the Siemens Group.
SIEMENS AG is a globally leading company operating along the entire value chain of electrification—from energy conversion, distribution, and application to medical imaging and in-vitro diagnostics. With a global presence, the company employs over 370,000 people and generated revenues of approximately €83 billion in fiscal year 2017.
To implement its security strategies, Siemens draws on external expertise when needed. This was also the case for the Corporate Governance department, which required support to enhance the process maturity of its ISO 27001:2013-based ISMS and to prepare for and accompany the subsequent certification. In June 2017, Siemens selected TÜV TRUST IT as its external partner for this purpose.
Initial situation
The goal of the project was to establish an Information Security Management System (ISMS) within Corporate Governance, one of the core departments of the Siemens Group. Special attention was given to the individual sub-processes of the ISMS—such as document control, auditing, and risk management. These processes were designed in a way that would allow them to be used independently of the specific department being secured.
An additional layer of complexity arose from the fact that Siemens operates across various service domains, each of which must be secured through the demonstrable implementation of an ISMS. To address this, a certified ISMS was to be introduced in a central department, from which the certified sub-processes could be distributed. These sub-processes were to be designed in such a way that the requesting business units would only need to personalize them for their specific needs.
Approach
As part of an internal preliminary project, ISMS assessments and gap analyses were already conducted across various organizational units within the group. This included identifying and professionally evaluating the discrepancies between the existing ISMS and a certifiable state according to ISO/IEC 27001:2013. These insights were incorporated into the further development of the ISMS.
Following this in-depth research and evaluation of internal information security processes, they were consolidated and structured using the ISMS framework templates provided by TÜV TRUST IT.
Missing relevant methodologies and evidences were developed and published in close collaboration with the project leads on the Siemens side. The result was a group-wide ISMS framework, which was rolled out across the company to better meet upcoming certification requirements.
Thanks to a structured approach and the creative use of the TÜV TRUST IT ISMS framework, the project was completed within four months, and the established ISMS within the Corporate Governance department was successfully certified by an accredited certification body.
Your Benefits
- The central Corporate Governance department now has a certified ISMS, with individual sub-processes designed in such a way that they can be reused by other business units within SIEMENS AG.
- The certification confirms that the organization has a functioning IT security management system in place.
- This IT security system is aware of the organization’s risks and can derive rules from them. It enables processes to be documented and measured effectively.
- Through certification, SIEMENS AG can objectively and convincingly demonstrate its level of quality to customers and business partners.