The decision-making process

In the search for a new software solution for information security management (ISMS), the award procedure was based on a specially developed decision matrix, which was applied to several products from different providers. Important criteria were

  • Adoption of the previously used risk matrix
  • Revision of the existing data
  • Intensive price-performance comparison

With the information security module, the R2C_SECURITY software solution, Schleupen SE offered a product that was both targeted and future-proof. In addition, the company's extensive experience in the energy sector and the attractive price-performance ratio were convincing arguments in favor of Schleupen SE.

Maximum safety realized at an early stage

Infra attaches great importance to consistent security aspects in its information technology: As early as April 2005, principles valid for the entire group of companies were drawn up. In view of the legally binding certification according to ISO/IEC 27001 and the IT security catalog (IT-SiKa) for the area of critical infrastructure by 31.01.2018 at the latest, the highest level of security should continue to be guaranteed at an early stage: With R2C_SECURITY, the software solution for information security management (ISMS) from Schleupen SE, this goal was already realized in 2017.

The infra fürth group of companies is a municipal company under private law owned by the city of Fürth and the legal successor to Stadtwerke Fürth. Its range of services includes electricity, natural gas, drinking water, district heating and urban transportation.

  • It supplies around 70,000 customers.
  • The team includes almost 400 employees, 15 of whom are trainees.
  • Sales revenue amounted to 194.7 million euros in 2016.
  • Investments amounting to 25 million euros were made in 2016.

The particular challenge

infra fürth dienstleistung gmbh and infra fürth gmbh are located under the infra umbrella. The new software solution therefore had to be embedded in the existing certification structure with one certificate holder (infra) and two certification areas, each with slightly different certification bases. The previous risk matrix was a good basis: it mapped the specific IT security guidelines and procedures that were used to implement and execute an information security management system (ISMS). The features of the IT Security Act (BSIG), which came into force on July 25, 2015 and provides operators of critical infrastructures with corresponding guidelines, were also taken into account.

The requirements and expectations of the new software solution were correspondingly high for those responsible at infra: the aim was to link the data center's certification, which had been in place since October 2006, with the new mandatory ISO/IEC 27001 certification and the IT-SiKa of the critical infrastructure, while at the same time coordinating this with the certification body.

The implementation

For certification in accordance with ISO/IEC 27001, the license scope of the previously used ISMS tool would have had to be extended. After evaluating the most common ISMS tools, infra therefore opted for the information security module of the R2C_SECURITY software solution from Schleupen. A client structure was set up using the ISMS tool. There were no plans to transfer the existing data from the previous ISMS tool, as the changeover was used for a general revision of the relevant data.

As an open-standard system, the information security module provides valuable support for both ISO 27001 certification and BSI IT baseline protection certification. Information security takes into account various risks such as force majeure, organizational deficiencies, human or technical failure and elementary hazards.

In addition to a convincing price-performance ratio, the information security module already scored points during the implementation phase thanks to its striking advantages: These included its malleability and co-development options, adaptation to individual requirements and multi-client capability. The extensive experience of Schleupen's experts in the energy sector was also very helpful during implementation.

The process flow

Around 50 infra employees were involved in the implementation of the information security module. At infra, IT security is a structured and standardized process that is practiced throughout the entire group of companies.

During the installation and set-up phase, infra's IT security officers received on-site training from Schleupen experts. Based on the existing and newly acquired knowledge, a test and decision catalog was then created and the individual tools were assessed according to its criteria.

The successes

The planned certification in accordance with ISO/IEC 27001 and the IT-SiKa for critical infrastructure was achieved early on. Acceptance of the ISMS at infra is good across all areas.