Many companies talk about information security, but hardly anyone talks about the reality behind it or dares to really tackle it. Gregor, our internal information security officer (ISO), is different. He tells us how it really is: what works, what’s annoying, what’s underestimated, and why an ISMS isn’t just a mandatory program, but something that should be lived. In this interview, we asked him five questions. His answers are here.

Who is Gregor and why is he our ISO?

Gregor isn’t someone who just talks about information security—he lives it. With over 15 years of experience in IT infrastructure, project management, and international transformation work, he brings the expertise and composure needed in this sensitive area. As a certified CISSP, ISO27001 Practitioner, and ITILv4 professional, he knows the standards not only from textbooks but also from practical experience, from implementation to audit support.

Gregor is our internal information security officer because he sees the big picture without losing sight of the details.

And as you can see, he always keeps his GOALS in mind 😎.

Five questions and answers for the man who knows

1. Many companies seek certification in order to comply with legal obligations (e.g., KRITIS, DORA, etc.) or customer requirements (e.g., in tenders). Is that the real purpose?

Answer:

“That is the legal or commercial sense and certainly a valid trigger. But it is not the real meaning behind it. If an ISMS is only introduced to fulfill obligations, it will remain at this level: there is hardly any real added value because many processes only exist on paper but are not effectively implemented. This leads to high costs without any significant improvement in security. Instead, companies should ask themselves: “Do I want to work securely and be prepared for incidents through internal processes and response mechanisms?” And then: “Do I want to reinvent the wheel or rely on proven regulations, with the side effect of also positioning myself on the market through certification?” That’s my assessment.”

2. Yes, but what difference does it make? Ultimately, it’s the same thing, isn’t it?

 Answer:

“No. And I’m not saying that out of a sense of duty as an ISO 😉, but based on my observations and personal experience. However, I only really became aware of this when, during an audit, the auditor asked me not only about the risks, but also about the opportunities that arise from an ISMS. In other words, the opportunities that arise for the company in connection with the introduction of the ISMS. Here are a few examples:

• • Better definition of responsibilities within the company through the required role descriptions
  • Increased quality in work products through the required avoidance of conflicts of interest (e.g., requester, tester, approver)
  • Structure in document storage for controlled access authorization… finally, you can find the documents again!
  • Defined processes… finally, everyone knows what to do, when, and how!

These examples alone demonstrate the added value. If an ISMS is merely implemented to fulfill a requirement, it results in effort without any real benefit. And there are many more examples. In the first question, I mentioned that implementing an ISMS (legal or commercial) to fulfill a requirement leads to costs without added value because the requirements are fulfilled purely as additional obligations.

Here’s the difference:

If the purpose of the requirements is understood and integrated into the company’s processes in a targeted manner, then not only is passing the audits a piece of cake, but it also brings significant added value in other areas. For example, through cost savings, greater efficiency, and higher profits.”

3. Many people talk about implementing ISMS, but how do you actually live by it afterwards?

Answer:

“Good point, and it’s great to get a question along these lines! To be honest, it feels very good to have passed an audit and to be able to hold the certification as a reward for all the effort involved. And yes, it really does take a lot of effort to implement the ISMS in such a way that the requirements described above can be integrated into the company’s processes and make sense for the company.

Once implemented, however, the goal has not yet been achieved; rather, the foundation has merely been laid. The processes must then be further refined and rounded out. The effort involved in the ISMS processes should be reduced so that they can be sustained and implemented in the long term alongside day-to-day business.

• • On the one hand: continuous improvement.
  • On the other hand: contributing practical experience and making it feasible.

Here, too, it is exciting to see when you succeed in implementing the standards and still manage to cope with day-to-day business.”

4. Did you use a tool to implement the ISMS? Is it possible to do without one?

Answer:

“We started without a tool, and that was sufficient for the first year. After that, we realized that the processes were very personnel-dependent and relied on manual initiative and individual knowledge. This is a hindrance when project workloads are high or staff are absent.

It is possible to work with Excel lists, but if you don’t take the time to edit the Excel files, you can’t see what needs to be done. In addition, tasks arose from various Excel documents, and you had to check several Excel lists for tasks.

In an ISMS, there are many recurring review tasks. These can be mapped very well in a tool and notifications or reminders can be sent to the assigned person > This way, the ISMS continues to be maintained, even if the ISB is currently unable to take responsibility.

During my absences, I was able to rely on automated notifications for recurring tasks and on the fact that the colleagues involved were informed about the tasks assigned to them. I was able to concentrate on other tasks and also came back from vacation feeling more relaxed 😊.

In our case, the one-time effort of transferring the existing ISMS to a tool was really worth it.”

5. What was the most difficult moment in the entire ISMS process?

Answer:

“Definitely the first certification audit! I felt very well prepared, but the auditor quickly managed to identify potential or actual deviations by asking specific questions.

Despite weeks of careful work, uncertainty suddenly arose: Will we really make it? What else is “not good enough”? Will our ISMS stand up to the audit?

All these questions are only answered at the end of the audit. It is the first real point of contact with the real world of certification. Every question that is answered correctly fuels hope, every tricky question fuels uncertainty. During this time, I try to get to know my counterpart better: What makes the auditor tick? What is important to them? How can I answer more effectively? How can I prepare even better for the next audit?

Then finally, the final meeting with all the results, AND a positive outcome. We did it! Goal achieved. Measures defined and implemented. Certification has finally been achieved.”

Conclusion