ISO 27001
Certified Security
ISO/IEC 27001 Certificate for Knipp
For us at Knipp, the security of processed data has always been an integral part of our corporate culture.
This applies to all our infrastructures, services and processes from domain registration over custom software development to the data center and the print production. Our comprehensive security concepts and measures have now been certified which is proof of our efficient information security to our costumers and partners. The certification is a rather complex procedure since all departments concerned need to be thoroughly examined – even more so for Knipp, as the ISO 27001 certification was carried out following the so-called full-scope approach and comprises all of Knipp's services, infrastructures and processes.
The following provides background information about ISO 27001 and the implementation of information security standards at Knipp.
ISO Standard or IT-Grundschutz?
There are two different certificates in Germany, namely ISO 27001 and the IT baseline protection (so-called IT-Grundschutz) of the German Federal Office for Information Security.
The newly founded, interdisciplinary certification team at Knipp decided in favor of ISO 27001. One convincing feature, among others, is the flexibility of this international norm which allows the implementation of customised safety solutions.
Knipp's ISMS
ISO 27001 demands the realisation and maintenance of company-specific procedures and requirements for information security in the form of a so-called Information Security Management System (ISMS).
The first step towards an ISMS is an inventory. A work group with representatives from all departments was interviewed in order to identify all business-critical processes. Evaluating and following up on these findings, a group of ISMS responsibles worked out the specifications relevant to ISO 27001.
Risk Analysis
An essential part the ISO 27001 certification is risk analysis. It is therefore necessary to analyze all business-critical processes and all related company values, the so-called assets. Potential threats to information value need to be identified and the systems and processes need to be checked for potential weak points.
Risk Management
The threats that have been identified are evaluated in order to decide upon the risk management strategy. At Knipp, we approach most threats directly through appropriate measures of prevention.
Plan – Do – Check – Act
Risk analysis and management are never-ending processes. All assets, processes, assessments and actions taken need to be constantly reevaluated. Furthermore, the ISMS needs to be constantly adjusted to changing conditions and requirements. Only then can maintenance of information security be ensured.
This is why the ISO 27001 team meets regularly, identifies necessary actions and quickly implements them. In addition to internal tests, the ISMS is also verified by external quality audits.
Security Starts with Awareness
The Information Security Management System is the focal point of evidence of a well-functioning security concept. However, a crucial point for a successful practice is each employee's awareness. Information security and data protection have therefore always been essential values of our corporate culture and are lived by our whole team.
Every Knipp employee was either directly involved in the evolution of the ISMS fundamentals or comprehensively informed about them. Training sessions in small groups of six provided basic information and presented the tools and resources of ISMS. Furthermore, departmental work groups engaged with and decided upon the details of the implementation.
History of the ISO 27001 Standard
The idea of standardised security management in the data processing industry originates in Great Britain.
The first collection of notes, measures and best practice examples was published in form of the British Standard 7799 in 1995. Three years later, an addition described the archetype of an ISMS. In 2002 the PDCA-Cycle (plan – do – check – act) represented the first problem-solving model. Finally in 2005 those guidelines were carried over into ISO/IEC 27001.
