Bouygues E&S Prozessautomation requested an audit in line with ISO standard 27001 in order to undergo an independent test of the way data and information are handled in the company. The standard sets out the ‘requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization.’ Successful certification provides customers and partners with important proof that a company maintains a high security standard when handling data.
But first, the organisation needed to prepare for the certification and project teams had to be formed to focus on relevant areas of action. Based on a security analysis, organisational and technical measures to be implemented had been defined at an earlier stage. These concerned, for example, on-site access restrictions, technical extensions to the network and the development of guidelines and work instructions for employees.
The project team achieved the required documentation of the information security management system using a new software set up in the style of a simple company wiki and containing workflows for tracking specific tasks, among other things. All measures of the ISO standard can therefore clearly be seen and tracked in terms of their implementation and compliance.
The potential vulnerabilities in data security requiring specific measures can be found in all areas, as the security analysis at the start of the project showed. Which areas need to be protected? Which measures need to be taken to achieve the desired outcomes? What expense is needed to achieve appropriate documentation implementation? Preparing for the actual audit took around one year. Finding the right balance between protective measures and expenses incurred was a key task in every step of the process.
During the implementation of technical aspects such as access controls, archiving processes and improvements to network security at the Olten site, the project team was able to draw on support from colleagues from other departments at Bouygues Energies & Services. Alongside colleagues from the Housing Services department, the IT and Quality departments also supported Ursina Schori and her project team with preparing for the audit.
In the end, the audit was carried out over two stages and took around three days. During this time, the project team was required to show the experienced auditors appropriate implementation in the business model of Bouygues E&S Prozessautomation in meticulous detail. The certification in summer 2022 was ultimately the best way to reward an intense year of conscious preparations and internal cooperation. Nevertheless, receiving this certification does not mark the end; this is just the beginning of a new security culture at Bouygues E&S Prozessautomation AG.
