Upload File

starting point approach

2
Success Story Setting up an Information Security Management System (ISMS) at SIEMENS AG Using Information Management Security Systems (ISMS) is now a core element of corporate strategies for cybersecurity and other security issues. That is why more and more Siemens AG business units are now opting for the international ISO/IEC 27001 standard. The company’s Corporate Governance department commissioned TÜV TRUST IT to launch an ISO/IEC 27001-based ISMS as an essential foundation for information security within the Siemens Group. SIEMENS AG is a leading global company that is positioned along the electrification value chain – from conversion, distribu- tion and utilisation of energy to medical imaging and in-vitro diagnostics. Active worldwide, the company has a payroll of over 370,000 employees and earned sales revenues of around € 83 billion in financial year 2017. To implement its security strategies Siemens uses the services of external experts as required. The Group’s Corporate Governance department did precisely that when assistance was required to improve the process maturity of the ISO 27001:2013-based ISMS in preparation for certification. In June 2017 Siemens decided in favour of TÜV TRUST IT as its external partner. Starting point The aim of the project was to establish an ISMS at Corporate Governance, one of the Group’s key departments. Special attention was to be paid to the individual ISMS sub-processes document control, auditing and risk management. They were to be designed so that they could be used independently of the department to be protected. A further fundamental requirement added to the complexity. As Siemens has different application areas for its services that each need to be secured by the verifiable implementation of an Information Security Management System a certified ISMS was to be set up in a central department from which the certified sub-processes were to be distributed. The sub- processes were to be mapped in such a way they only needed to be personalised by the requesting business units. Approach ISMS inventories and gap analyses had already been under- taken as part of an in-house preliminary project in various organisational areas of the Group. They included identification and factual evaluation of disparities between the existing ISMS status and a status capable of certification in accordance with ISO/IEC 27001:2013. These findings were taken into considera- tion in the further development of the ISMS. 1/2 – Success Story – SIEMENS Siemens Group ISMS Master certification Information security policy Security risks methodology Document management methodology Audit methodology Compliance A. 18 Templates Templates Templates Templates Templates General requirements ISO 27001 Inspire Siemens Individual requirements ISO 27001 ISMS certificates of Siemens Business Units Scope Definition Stakeholder Definition ISMS development plan

Upload: others

Post on 08-Jan-2022

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Starting point Approach

Success Story

Setting up an Information Security Management System (ISMS) at SIEMENS AGUsing Information Management Security Systems (ISMS) is now a core element of corporate strategies for cybersecurity and other security issues. That is why more and more Siemens AG business units are now opting for the international ISO/IEC 27001 standard. The company’s Corporate Governance department commissioned TÜV TRUST IT to launch an ISO/IEC 27001-based ISMS as an essential foundation for information security within the Siemens Group.

SIEMENS AG is a leading global company that is positioned along the electrifi cation value chain – from conversion, distribu-tion and utilisation of energy to medical imaging and in-vitro diagnostics. Active worldwide, the company has a payroll of over 370,000 employees and earned sales revenues of around € 83 billion in fi nancial year 2017.

To implement its security strategies Siemens uses the services of external experts as required. The Group’s Corporate Governance department did precisely that when assistance was required to improve the process maturity of the ISO 27001:2013-based ISMS in preparation for certifi cation. In June 2017 Siemens decided in favour of TÜV TRUST IT as its external partner.

Starting pointThe aim of the project was to establish an ISMS at Corporate Governance, one of the Group’s key departments. Special attention was to be paid to the individual ISMS sub-processes document control, auditing and risk management. They were to be designed so that they could be used independently of the department to be protected.

A further fundamental requirement added to the complexity. As Siemens has diff erent application areas for its services that each need to be secured by the verifi able implementation of an Information Security Management System a certifi ed ISMS was to be set up in a central department from which the certifi ed sub-processes were to be distributed. The sub-processes were to be mapped in such a way they only needed to be personalised by the requesting business units.

ApproachISMS inventories and gap analyses had already been under-taken as part of an in-house preliminary project in various organisational areas of the Group. They included identifi cation and factual evaluation of disparities between the existing ISMS status and a status capable of certifi cation in accordance with ISO/IEC 27001:2013. These fi ndings were taken into considera-tion in the further development of the ISMS.

1/2 – Success Story – SIEMENS

Success Story

Siemens Group ISMSMaster certifi cation

Information security policy

Security risksmethodology

Documentmanagementmethodology

Auditmethodology

Compliance A. 18

Templates Templates Templates Templates Templates

Generalrequirements

ISO 27001

Inspire Siemens

Individualrequirements

ISO 27001

ISMS certifi cates of Siemens Business Units

Scope Defi nition StakeholderDefi nition

ISMS development plan

Page 2: Starting point Approach

Aft er this detailed research into and evaluation of in-house information security processes they were consolidated and structured using the document templates of the TÜV TRUST IT ISMS framework. Missing relevant methodologies and proofs were drawn up and published in close cooperation with the Siemens project managers. The result was an in-house group ISMS framework that was distributed around the Group in order better to do justice to upcoming certifi cation requirements.

Structured working and creative use of the TÜV TRUST IT ISMS framework made it possible to complete the project within four months and to have the ISMS established at the Corporate Governance department successfully certifi ed by an accredited certifi cation authority.

2/2 – Success Story – SIEMENS

Success StorySuccess Story

Benefi ts

• The central Corporate Governance department now has a certifi cated ISMS with individual sub-processes designed so that other SIEMENS AG business units can use them.

• Certifi cation testifi es that the organisation has a functioning IT security management.

• This IT security system knows the organisation’s risks and can derive rules from them. With its assistance processes can be documented and measured.

• Certifi cation enables SIEMENS AG to prove its quality level objectively and convincingly to its customers and business partners.

TÜV TRUST IT GmbH TÜV AUSTRIA Group

Waltherstraße 49–51 · D-51069 Köln Phone: +49 (0)221 969789 - 0 [email protected]: +49 (0)221 969789 -12 www.it-tuv.com


A Practical Approach to Starting Fission Surface Power ... · A Practical Approach to Starting Fission Surface ... NASA Scientific and Technical ... A Practical Approach to Starting

Proposal for a Technology-Neutral Safety Approach …...depth for different reactor types provide a useful starting point to develop a technology-neutral safety approach. The proposed

Starting Point Brochure

Zalando. The starting point for fashion. · 2019-10-01 · 4 Investment Highlights - The Starting Point for Fashion Our vision is to become the starting point for fashion, the destination

Microservice: starting point

Semantic Blockchain - Starting Point #semanticblockchain

Presentation Background Overarching Strategy Starting Point Approach Injury Prevention Database Results What we learnt along the way Building on experience

Starting Point Environment

A Starting Point for Lean

Headgears: The starting point - SAIMMsaimm.org.za/Conferences/ShaftSinking2009/06b-Khan.pdfDoc Ref .. SF/OM/03 Rev 1 Headgears: The starting point 4. The starting point ¾The end on

WPS-Starting Point Rev1

Review – Finding Our Starting Point

TDD, a starting point

A domain decomposition approach to finite volume … · algorithm for the parallel solution of two-dimensional compressible inviscid flows. The starting point is The starting point

Painting - a starting point

Evangelism: Starting Point (Week One)

Review – Finding Our Starting Point Two components of finding our starting point? Two components of finding our starting point? – Self-examination – Humility

Starting point packaging

The Starting Point…

Starting Point: Junior Management Consultant

c Using an Earth History Approach: r u o A Starting Point ... · A Starting Point Module for Faculty Rebecca Teed and Cathryn A. Manduca, Carleton College ... to teach the foundations

Human rights as a starting point

Web Analytics - The Starting Point WAWDubai

Starting point: Alfred Grotjahn

Zalando. The starting point for fashion. · The starting point for fashion. Roadshow presentation November 2019. Agenda Our vision: The starting point for fashion Platform as key

MODELING THE DECAY IN AN HBIM STARTING FROM 3D POINT ...€¦ · MODELING THE DECAY IN AN HBIM STARTING FROM 3D POINT CLOUDS. A FOLLOWED APPROACH FOR CULTURAL HERITAGE KNOWLEDGE F

Starting Point 2.0

T starting point

My starting point workbook

Mirzakhani's Starting Point Caroline Series

Starting point: Langmuir’s OML theory

STARTING POINT RUBBER COMPOUNDING FORMULATIONS

Starting Point survey results 2011

My Starting Point

Quality Control Starting Point