Secure Your Business

case study:
ISO 27001 in miDsized enterprises 

  • Risk management, people awareness, utilizing synergies
  • A strong signal for confidence and an asset in competition

The market speaks a clear language: Evidence of information security is explicitly being required by more and more customers. The way how the International Security Standard ISO 27001 can be implemented efficiently in medium-sized enterprises is shown by two case studies: Fabasoft and POOL4TOOL were successfully certified acc. to ISO 27001 and report about their way from implementation to certification. ISO 27001 can be used independently from the size. Risk analysis helps to show the specific need for action. Thus smaller and medium-sized enterprises profit from a lean effective system. 


people_istockphoto Photomorphic


 Evidence of information security is explicitly being required by more and more customers.



Interview with Fabasoft Group – 200 employees
Interview with POOL4TOOL – 80 employees 




Mrs. Moser, what were the motives for establishing information security acc. to ISO 27001?


“As a service provider, we keep sensitive and business relevant data of customers. This data needs to be protected – demonstrably, by means of certification. Confidential paper can be stored in the safe. As for complex data protection with digital, analog and mental information – which is saved centrally, locally, in a mobile manner and in the employees’ heads – ISO 27001 acts like a safe. An effective system with a structure and control mechanisms. The Certificate also is an important basis for our services in the area of Cloud Computing and Software-as-a-Service /SaaS.“

  • What area of the company has been certified?

“The headquarters in Linz has been certified. It is thought about extending certification acc. to ISO 27001 to other locations. In addition to our ISO 27001 Certificate since 2008, our products Fabasoft Folio Cloud and Fabasoft Folio SaaS are certified acc. to ISO 20000 for IT service management. Both standards refer to IT security and are most effective, when they are combined.“

  • What competitive advantages can you draw from the Certificate?

“As ISO 27001 is an acknowledged standard for information security we show our customers that the security of their data is most important for us. We give a sign and present the ISO 27001 Certificate on our homepage, on customer events and enclose it at requests for quotation. Thanks to its profound expert knowledge, CIS as a Certification Body has a good reputation.”

  • Were defined processes in place, or was this step of establishing a management system new territory?

“We are certified acc. to ISO 9001 throughout the company group and therefore were able to integrate ISO 27001 and ISO 20000. Even the essential IT and security processes had

already been defined. We had largely already lived according to the requirements placed by ISO 27001. Therefore, it was a logical step to make this visible by means of certification. We could implement the overall system without a consultant within eight months.”

  • What were the items that still had to be elaborated?

“Documentation and the Manual were refined. An exciting aspect was people awareness. In this respect, we can state that our Managing Board acts as a role model by being highly enthusiastic and committed in terms of this topic. New employees go through our Academy, where information security has become a fixed part. Furthermore, an internal security guideline was sent to the employees in a newsletter. This has strongly triggered discussions. This kind of mouth-to-mouth propaganda has helped us to raise awareness. 

  • How have you implemented risk management acc. to ISO 27001?

“The big challenge was to compile risks and measures. It was a matter of systematically acquiring the “puzzle parts”. This gave us a valuable overall view and made us confident we would not overlook any risk and take along any doublets. The following has proved to be a useful process for creation: recording risks in writing, discussing them and making a choice; only then defining measures; this helps to prevent the system from being overloaded.”

  • What method have you used for risk analysis?

“The qualitative method ALARP. This method has convinced us because of its simple approach. In the formula ‘Likelihood of occurrence x Effect = Risk’, no monetary values are used (which would be difficult in case of damages to the image), but “school grades”. The results will be represented graphically as a matrix according to the traffic-light system red-green-yellow. In order to be able to measure the effectiveness of the actions, we have directly linked our strategic system of indicators with risk management.”

  • Do you have a suggestion for implementing ISO 27001?

“Thinking about time buffers and going back one step again and again in order to have a look at the system as a whole. The tightrope walk is as follows: as much as necessary, as little as possible. An overloaded system won’t be translated into practice. The system must be lean and efficient.”




Mr. Rösch, what were the motives for establishing information security acc. to ISO 27001?


“For us as a provider of web based rental software, information security is a business need and not only highly topical in the automotive industry. One of our customers, a big subsupplier, explicitly required certification acc. to ISO 27001 from us – in a foresighted manner while the customer himself was still heading for implementation.”

  • Were defined processes in place, or was this step new territory?

“Implementation was easier and faster than expected. This was particularly due to the fact that we already had processes conforming to SOX because of our business relations with a company listed on the US Stock Exchange. The contents of the requirements placed by ISO 27001 and Sarbanes Oxley overlap. Therefore, we could directly build implementation of ISO 27001 upon the processes already defined.”

  • What strategy have you pursued for implementation and certification?

“For efficiently implementing the standard, we have availed of the services provided by a consultant. We conducted important steps such as analysis of the processes, revision of documentation, risk analysis as well as classification of documents with external help. This has enabled us to cope with implementation within six month

. The whole location in Vienna with software development, support and administration was certified. For preparing for the Certification Audit, we availed of a Stage Review made by CIS. Obtaining certification right at the first attempt is extremely important for motivating the employees who are to durably ‘live according’ to this system.”

  • What internal benefits does the company draw from ISO 27001?

“Complete documentation of all processes creates transparency for the whole company. Thus critical questions, such as the way to handle leaving of employees, are clearly regulated. The Incident and Change Management within ISO 27001 has helped us to improve our support processes and optimize all the workflows behind as well as the use of trouble tickets. Thus we profit from the increased efficiency and the clear processes. Our customers feel this because the response and cycle times are shorter when processing requests. Therefore, it also was important to us to seal the introduction of ISO 27001 with a Certificate in order to make internal optimization of our processes visible even to our customers.”

  • And the advantages over the competitors?

“Standardized processes that are recognized and reviewed by the independent Certification Body CIS are a concrete competitive advantage on the market: In the last year, our customers’ demand for certification acc. to 27001 increased significantly. The Certificate gives our customers the certainty to have a reliable partner.”

  • How have you implemented risk management acc. to ISO 27001?

“The field of risk management was a new territory for us. Therefore, we implemented this aspect by using a consultant as a coach. The priorities were contractual issues, issues relating to liability and other legal issues. For failure proofness was already covered by the SOX requirements.”

  • Is certification acc. to ISO 20000 planned as well?

“Yes, this is being planned, namely as an integrated system with ISO 27001 so that synergies

up to combined audits can be utilized at operation. POOL4TOOL already models processes conforming to ITIL by means of its own Ticketing Module. ISO 20000 makes it possible to demonstrate conformity to ITIL by means of a Certificate. Therefore, we are striving for certification acc. to ISO 20000 – still another competitive edge in the international trade rivalry.”

CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com