A digitalised building offers great advantages to both users and operators: Many processes can be made simpler and more cost-effective, resources such as electricity and water are saved and the building can be better adapted to individual needs. However, such a comprehensive system must be protected throughout to prevent unauthorised third parties from gaining access to the information. In addition to encrypted communication of the smart devices, secure processes in the company operating the technology are also of great importance. We take a closer look at the need, implementation and added value of secure IT.
What is an ISMS?
Every company that works with personal or confidential data should have an Information Security Management System (ISMS). This is a system of rules and processes that ensures the security of stored and processed information. The ISO/IEC 27001 standard was created for the international standardisation of IT security.
This ISO standard defines the goals of a stable ISMS and makes demands on the implementation in a company. This includes the recording and evaluation of potential risks for relevant data, the introduction of processes that minimise the risks and limit the damage in the event of an incident. In addition, information security must be permanently checked so that adjustments can be made quickly if necessary.
IT Security for Intelligent Buildings
Especially for smart buildings, it is essential to take IT security seriously. The intelligent technology controls important processes in the building and must therefore not become a weak point. By means of an audit log in the platform, all processes can be traced back over a longer period of time. In this way, conspicuous user or system behaviour can be uncovered and misuse or errors can be avoided. For customers in the German public sector, it is necessary for the provider of digital building technology to have certification to guarantee that the internal processes in the company are secure. Insurance companies also often emphasise the importance of ISO certification for their customers' building technology.
The Certification Process
In any case, certification requires a multi-stage process that usually takes one to one and a half years. It starts with discussions with a consulting or certification firm that helps the aspirant become aware of internal safety procedures. When the consulting firm thinks the company being assessed is ready, the next stage is a formal audit. Here, the ISMS is closely examined and if it meets the ISO requirements, the certificate is granted.
However, this is not the end of the process. During the certification, the auditors give suggestions for improvement that are to be implemented. After one year, a further check is carried out to see whether the system continues to function and processes are lived. If the company also passes this check, the certificate is valid for a few years and must then be renewed. Therefore, an ISMS is not a one-time process, but a constant task to which the whole company contributes.
ISO 27001 at Sensorberg
To constantly improve our processes and to be able to inspire more public customers for digital building technology, Sensorberg has also undergone certification according to ISO 27001. Together with a consulting firm specialising in information security, the process started at the beginning of 2020 and after only three-quarters of a year, Sensorberg received the certificate. In the process, many processes in risk management, mobile device management and the server structure were optimised. Also, the onboarding for members was adapted and members of the management have to show their police clearance certificate to ensure trustworthiness.
The biggest challenge in this process was the enormous amount of work, which, however, could be completed faster than average. Furthermore, it was a demanding task to create the personnel capacities for the certification and to coordinate the change management. For this purpose, one employee took on the role of Information Security Officer, who, together with the legally required Data Protection Officer, is now primarily responsible for digital security and data protection. In the end, all hurdles were successfully overcome, so that we can now call ourselves an ISO 27001-certified company.
For all companies that are also thinking about ISO certification or are currently in the process, here are three lessons learned from our experience:
- Provide sufficient capacity – qualified staff and a realistic time frame.
- Do not underestimate the level of detail of the requirements: almost all your processes will be analysed and may need to be adapted.
- You will constantly develop your mindset and your company culture through continuous learning.