With its information technology, infra places a great value on consistent safety aspects. As early as April 2005, basic principles valid for the whole Group were drawn up. With a view to the legally binding certification according to ISO/IEC 27001 and the IT security catalogue (IT-SiKa) for the field of critical infrastructure by 31.01.2018 at the latest, the highest degree of security should be guaranteed early. With R2C_SECURITY, the software solution for information security management( ISMS) from Schleupen AG, this target was already realised in 2017.
The infra fürth group is a municipal enterprise under private law of the city of Fürth and the legal successor to the Stadtwerke Fürth. Its range of services covers electricity, natural gas, drinking water, district heating and urban transport.
- It supplies around 70,000 customers.
- There are about 400 employees in the team, 15 of them apprentices.
- Turnover in 2016 was 194.7 million euros.
- In 2016 investments of 25 million euros were made.
In the search for a new software solution for information security management (ISMS), the tendering process was based on a decision matrix developed by infra fürth themselves, which was applied to several products of various providers. Important criteria were:
- Taking over the risk matrix previously in use
- Revision of the existing data
- Intensive price-performance ratio comparison
With the information security module of the R2C_SECURITY software solution, Schleupen AG offered a product as targeted as it was future-protected; the great amount of experience in the energy sector and the attractive price-performance ratio were also convincing arguments in deciding on Schleupen AG.
infra fürth dienstleistung gmbh and infra fürth gmbh are together under one roof with Infra. The new software solution therefore had to to be embedded into the existing certification structure with a certificate holder (infra) and two certification areas, each with somewhat different certification bases. The previous risk matrix was a good foundation. It formed the specific guidelines and procedures for IT security, serving to implement and execute an information security management system (ISMS). Also taken into account were the features of the German IT Security Act (BSIG), which came into force on the 25th July 2015 and provides appropriate guidelines for operators of critical infrastructures.
The demands and expectations made of the new software solution were correspondingly high among those responsible: It was necessary to couple the certification of the computer centre, which had been in existence since October 2006, with the new binding ISO/IEC 27001 and the IT-SiKa of the critical infrastructure and at the same time to agree this with the certification office.
For certification according to ISO/IEC 27001, the extent of the licence of the previously used ISMS tool had to be expanded. After an evaluation of the currently used ISMS tools, a decision was made at Infra in favour of the information security module of the Schleupen software solution R2C_SECURITY. A client structure was built up via the ISMS tool. Taking over the existing data from the previous ISMS tool was not planned, as the conversion was used for a general revision of the relevant data.
As an open standard system, the information security module is a valuable support both for certification according to ISO 27001 and for certification according to the BSI-IT baseline data protection. For information security, various risks such as higher power, defects in organisation, human or technical error as well as elementary dangers are taken into account.
Along with a convincing price-performance ratio, the information security module already stood out in the implementation phase with its striking advantages. These included, among others, the options for shaping and co-development, the adaptation to individual requirements and the multi-client capability. During implementation, the wide-ranging experience of the Schleupen experts in the energy sector was also very helpful.
Around 50 staff on the infra side were involved in the implementation of the information security module. At infra, IT security is a structured and uniform process, followed by the entire group.
During the installation and setting up phase, the infra IT security officers received training by the Schleupen experts. Based on the existing and newly gained knowledge, a catalogue for testing and decisions was then created and the individual tools evaluated according to the criteria of this catalogue.
The planned ISO/IEC 27001 certification and the IT-SiKa for the critical infrastructure area were achieved early. The acceptance of the ISMS is good in-house in all departments of infra.