Österreich
Secure Your Business
 

Case study certification:
A1 Telekom Austria “dials in” ISO 27001
 

  • From Implementation to Certification in 6 Steps
  • Interview with the Information Security Representative of
    A1 Telekom Austria AG,
    Mag. Krzysztof Müller

 

As one of the biggest Austrian service provider the A1 Telekom Austria AG has already been certified according to ISO/IEC 27001 for Information Security in the year 2005. At this time the certification covered the overall Division Service & Network Operation (SNO) with 1,500 employees, which was responsible for many more than one million customers, more than 15,000 users within the company group and such strategic IT services as housing or hosting. In 2012 the certification has been extended to the whole company. Mag. Krzysztof Müller, Information Security Representative at A1 Telekom Austria AG, describes the implementation process and the preparation for the certification as seen by the company – and gives hints and suggestions from practice for practice.

 

 

lassallestrasse_innen1

 Austrians biggest Service Provider with a certificate acc. to ISO 27001: A1 Telekom Austria
 

 

Step 1: Information Talk
Step 2: Stage Review

Step 3: Analysis

Step 4: Implementation
Step 5: CIS System & Risk Review

Step 6: CIS Certification Audit

 

A1 Telekom Austria dials in ISO 27001

  • Mag. Müller, what were the motives for establishing an information security management system, ISMS, acc. to ISO/IEC 27001?

We have realized security was enormously important for our business activities and we needed a structured procedure for the complex processes in information security. In the technical field, we had very good security solutions. However, organizational issues relating to information security were to be improved. For example, each business area had a slightly different password policy or other logging rules. The logging rules are very important for ensuring traceability of nonconformities, for avoiding nonconformities as well as for liability issues. Uniform recording of security incidents in the form of log files in the server area is an important security factor when it comes to avoiding data manipulation or unauthorized access. However, it also is such issues as responsibilities or informing recently recruited employees that needed to be standardized according to a uniform structure.

 

Step 1: Information talk

 

An initial talk with CIS furnishes details about the certification process.
This is followed by registration and project planning.

 

 

 

 

 

  • When did the project start?

We started with initial talks with the Certification Body CIS. There the certification process was discussed, and the rough schedule was fixed. Our questions mainly referred to what would be reviewed and to the contents of the standard that were relevant for our requirements.

  • Has the initial talk already shown the way?

Yes. For originally we had had the plan only to have a small part of the SNO Division certified – as a pilot project. Later we wanted to allow the whole SNO Division to follow on the basis of relevant experience. However, CIS has made it clear to us that it would be more useful and cost effective to establish an ISMS for the whole Division with 1,500 employees right from the beginning and to have that system certified. Today we feel affirmed in this step. Otherwise it would have been “double” work. Right after this initial talk, we already availed of a Stage Review, few weeks before the project start. 

 

Step 2: Stage Review


At this voluntary preliminary review, CIS will review the usefulness of the implemented ISMS elements during the project and write a strength-weakness report.

 

 

 

 

 

  • What were the reasons for a Stage Review at the project start, and what were the concrete benefits that were yielded?

Before we had studied the guide for implementing information security, ISO 27002, autonomously and also availed of external consulting to a limited extent. When doing so, we found out that the standard left a big room for interpretation. For example, “adequate risk management“ is demanded without going into more detail as to what “adequate” means in practice – which can be different from one company to the other, at any rate, depending the company specific security requirements. Therefore, it was important for us to have the state identified by the Certification Body. If the auditors who will review the overall system later confirm or correct the course, you cannot be so wrong afterwards. On the whole, it also was necessary to state the requirements placed by the standard more precisely specifically to the scope of the certification. After this milestone audit in the company, we got a six-page report, which showed in what areas there was need for action and where we already were on the right way. We can recommend such a voluntary preliminary review to anybody – as a helpful facilitation because implementing the standard is anything but routine.

  • Has the course significantly been corrected because of the Stage Review?

We could revise our schedule. Top management wanted rapid implementation taking eleven to twelve months whereas the IS Representatives would rather have expected 18 months. After this Stage Review, we had a relatively good overview of the tasks that still had to be tackled and could then set the target of already achieving certification after eleven months – which ultimately also was translated into action. 

 

Step 3: Analysis

 

Evaluation of the information risks and review of existing security controls by the company.

In this respect, CIS as an independent inspection and testing body is not involved.

 

  • How was the topic of risk management implemented at A1 Telekom Austria AG?

Risk management is an abstract topic requiring a new way of thinking. As an engineer you know “Yes” or “No”: either something works, or it doesn’t. Risks are unclear states: It is tried to calculate how likely it is a certain security incident occurs and thus loss can occur. Based on this likelihood, actions for avoiding this incident will be taken, and contingency plans will be elaborated. The decision to budget such actions will be taken on the basis of estimates and assumptions and not on the basis of reality, which is completely measurable. Therefore, the SNO Division has elaborated this complex topic in close co-operation with the Staff Office for Risk Management of A1 Telekom Austria AG, where relevant technical know-how already was there. It was a big challenge to identify and define the risks. In the technical sector, the change management process has turned out to be the main focus. For at each new system whose operation starts, failures can be sluiced in. However, most risks will be detected in the course of security audits.

 

Step 4: Implementation

 

Establishing security controls according to the strategic structure of the ISO 27001 / ISO 27002 Standard. In this respect, CIS as an independent inspection and testing body is not involved.

 

 

 

 

 

  • Most work was required in the implementation phase: what was the procedure?

The implementation phase took altogether eleven months. A project team worked at it 2000 manhours, and 1,500 employees were trained for some months according to the Train-the-Trainer principle. The trainings are an important issue. For at the Certification Audit, samples will be taken as to review whether the employees actually translate the system into practice.

 

At the beginning of the implementation phase, the Information Security Policy was written. This policy presents our principles on altogether eight pages. Then the Safety Manual, which has 160 pages, was written within little less than three months. When doing so, we tried to break down the controls of ISO 27002, whose number amounted to about 130 at that time, to practical usability in the SNO Division. This has led to more than 40 IS Guidelines, which furnish a set of rules about information security, which conforms to the standard. This set of rules covers all the topics relevant to information security, such as


 •  the behaviour on the place of work
 •  network security
 •  user management
 •  private use of network resources
 •  virus and spam protection
 •  WLAN

  • What business areas were considered at implementation?

The persons responsible for physical security were very important. For ISO 27001 / ISO 27002 also requires physical security, such as access control. Lawyers have helped us to write the Security Manual and the instructions it includes in a way complying with legislation, above all relating to the E-Commerce Act, the Signature Regulation and the Commercial Code. Besides, the management of internal application development was involved because safety relevant rules for programming were also considered in the Safety Manual. In order to make it easier to assess risks from the insurance perspective, the insurance experts of A1 Telekom Austria AG were consulted. The HR Department helped to write the guideline for the security aspects when recruiting new employees or when employees leave.

  • What suggestion can you give relating to the topic of the Security Manual?

Keep it simple – this means you should not try to regulate everything down to the smallest detail. For the rules in the Security Manual also need to be reviewed for compliance and improved, if necessary. In our first edition, we had also incorporated security recommendations – e.g.: E-mails coming from unknown senders should not be opened. However, such recommendations cannot be reviewed in reality. In Release 2 of our Manual, we took out all these recommendations and summarized them on one IS Instruction Sheet. Now the guidelines only include hard facts, which can be verified.

  • The Manual presents the desired state. How was the actual state identified?

This has required two to three months of hard work from us. For the project team wanted to identify results about the actual state relating to information security that were as accurate as possible as a solid base for implementation. Thus Departmental Heads and Team Leaders were interviewed about the individual issues of the Security Manual.
In addition, technical protocols of the systems served to review by way of sampling what the actual state is. Like this we could obtain really concrete data – as compared to the guidelines of our Security Manual. Therefore, it is useful to write the Manual first.

  • Can you give examples?

Interviewing has helped to give the management involved insight into the contents of the ISMS so that the new system was sustained throughout the company. One practical example of reviews is that of password policy. In this respect, it was reviewed how often and with what features the passwords were changed. In the field of change management, the processes according to which new software is put into operation were identified. As for organizational issues, it was reviewed what documents were passed on when recruiting new personnel and what authorizations were granted. This procedure was conducted for all the hierarchical levels. However, the expenditure has paid off. For as the state could be identified so accurately, implementing controls and processes could already be started in parallel. After all, ISO 27001 / ISO 27002 implies the introduction of an improvement process for all the key processes.

  • How long did implementation of the controls take, and what was important in this respect?

On the whole, we needed about five months for implementing all the controls for information security. Of course, this does lead to human frictions. For the project had to be handled in addition to ongoing work. The biggest problem definitely is when the employees suddenly have to carry out certain processes in a way that is different from that they were used to. In these cases, we have always looked for a consensus and taken our time for discussions – for the system can only work if the employees are convinced of the usefulness and translate the guidelines into action in daily practice. What was very important in this context also was the controls were approved by top management. Thus it was clearly communicated there had to be changes.


Step 5: CIS System & Risk Review (preliminary review)

 

CIS reviews interpretation of the requirements placed by the standard as well as ISMS documentation. Nonconformities and opportunities for improvement will be laid down in a short report. Thus the company will be prepared for the Certification Audit in a well-aimed manner.

 

 

 

 

 

 

  • What significance did the Stage-One Audit or CIS System & Risk Review have?

This preliminary review took place some weeks before certification. It served as a “general rehearsal” and was an optimal preparation for the finale. The intermediate report clearly shows where you are and how probable successful certification is. Certification striven for should absolutely be achieved at the first attempt in order to prevent the employees from being de-motivated.

 

Step 6: CIS Certification Audit


CIS Auditors review the information security management system by multiple sampling on all levels of the organization. A final report will show opportunities for improvement for the future.

 

 

 

 

 

  • How did you prepare for the audit, and how did you proceed?

It is recommendable to collect all the required documents, such as documentation from the Departments, in advance. During the audit, there is no time left for that. It also is important is to prepare evidence and examples: When and by whom was the Security Manual released? What evidence is there for the employees’ training? On the whole, the auditors specify topics that will be reviewed in more detail. For this purpose, it is necessary to provide interviewees from the operational area. The auditors want to see whether the ISMS actually is translated into practice by the persons involved.
In the SNO Division with 1,500 employees, the final audit took one week and incorporated altogether three locations. In the first part of the audit, the Manual, documentation and evidence were reviewed. It was reviewed whether the processes were described in conformity to the formal requirements. The second part investigated into operational implementation. In this respect, chosen employees were interviewed. Furthermore, employees were interviewed at their places of work by way of sampling and surprisingly. And finally the server rooms and system engineering were assessed. Here it was reviewed whether technical security equipment, such as strict access control to the server room, actually met the guidelines defined in the Manual.

  • As a final balance: What is the expenditure in daily business once the ISMS
    has been built up?

Today additional expenditure is minimal. For technical equipment, such as access control, process technology or system engineering work automatically. Even a majority of documentation is provided by technology. Partly we have almost bought management software in order to support certain processes – for example, a monitoring tool for vulnerability management was introduced in order to detect technical vulnerabilities. As for IT administration, there will be a slightly increased expenditure for keeping the processes. For example, the formal processes will have to be observed accurately at changes of software. On the other hand, the failure quote will be reduced, and ultimately more time will be saved by the fact that no system failures have occurred.
For the “normal“ users, life has even become easier. For as responsibilities are defined so precisely, the employees know whom to contact. It also is externally that the company will profit: At requests for quotation, the Certificate for Information Security acc. to ISO 27001 makes a clear difference to the competitors.



Overview & Grafic: Certification Process acc. to ISO 27001

 

 

 

 
 
CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com

T&C