The Virtual Engineering department is particularly careful when handling information and now there is something in writing to prove this: it has become the first department at MANN+HUMMEL to achieve ISO/IEC 27001:2013 certification. I spoke to project manager Marcus Duhnke, CISO, Dr Gunnar-Marcel Klein, Vice President of Engineering for Filter Elements and Jürgen Lang, Director of the Engineering Network, about what achieving the standard means and why it is so important for MANN+HUMMEL.
If my understanding is correct, the certification does not discuss firewalls and anti-virus software. What does it cover?
Duhnke: It goes without saying that we secure our data using the latest technology, but this certification has not actually anything to do with viruses or hacking. It is a leading international standard that outlines how to implement, monitor and improve an information security management system. It also outlines how we handle data and information, i.e. whether and how we can ensure that these are handled confidential, that they cannot be changed for illegitimate reasons (i.e. its integrity remains intact) and also how we can ensure that they are made available to the users needing them. The processes that exist within the company must guarantee this – and most importantly our employees must use these processes correctly.
How does this work in practice?
Dr Klein: As an example, if a customer wants us to develop a new filter system for a new model, they will provide us with the confidential data needed to carry out this order. Our information security management system guarantees firstly that the only employees who can access this data will be those given the authorisation to do so. These employees will then work with this information. New data will of course emerge during the development process and this data will keep changing. In this case, we ensure that data can only be updated by individuals with the authorisation to do so and also document every step of the change process. Lastly, we ensure that all of this data is available at our development sites around the world. This requires advanced IT systems, as well as clear instructions for employees on how to handle the data.
So why was the Virtual Engineering department chosen for this?
Lang: The data handled by the department is highly sensitive, and includes strictly confidential customer data as well as our development know-how in its entirety, such as new inventions, test reports and technical drawings. That’s why it made sense to introduce the new certification there first of all.
We’ve always had high standards though, haven’t we? Why did we need this new certification?
Dr Klein: It’s fair to say that our 1000 or so development employees already had a high level of awareness of information security. That said, the market (in other words our customers) demands internationally comparable standards so as to be able to judge who really is a safe pair of hands. ISO/IEC 27001:2013 is the latest standard in this particular field. MANN+HUMMEL actually works in a similar way itself and our suppliers also have to prove they are suitably certified, depending on the field.
What work was needed to obtain the certification?
Lang: It became apparent that we already have a really good set-up in this respect. No major changes were needed to content, so our efforts were focused on the documentation of processes. We conducted a risk analysis on all existing processes and reformulated any rules that were not entirely clear or could be misunderstood to make them unambiguous. We also outlined clear responsibilities and obviously took any adjoining processes into account. As a result of all these efforts, we achieved the certification without one single deviation from the standard.
What do you mean by adjoining processes?
Duhnke: Our developers do not work as stand-alone units. Other company areas such as purchasing, sales, prototype construction, quality assurance and many others all play a role in product development at some point or other. The employees from these areas will at some point need access to certain data and for this reason need to be familiar with the rules.
Is there a plan to certify other departments according to the new standard?
Duhnke: After having one important area for the development process in our focus, the next logical step will be to certify general IT. This is a cornerstone of many functions within our company and, as such, we also want to certify it and thus prove that it meets the highest of Standards.