atrify is ISO certified - our way to ISMS@atrify

28 Feb 2020

atrify has successfully achieved ISO/IEC 27001:2013 and adapted the implementation of an Information Security Management System (for short: ISMS) to atrify.

We offer our customers simple, secure, reliable and hassle-free management of product content through our cloud-based platform. This requires our processes and the technology we use to have a high level of quality and information security.

ISO/IEC 27001:2013
The internationally recognised standard for information security.

ISO/IEC 27001:2013 is the standard that specifies the framework conditions for the secure operation of an Information Security Management System (ISMS for short). An information security management system defines rules and methods to ensure information security in a company. With an ISO certification according to ISO/IEC 27001:2013, we can guarantee our customers state-of-the-art information security.

The reliability of company-related information processing is of strategic importance for secure business transactions and forms the basis of many decision-making processes. It is essential to protect the information in the atrify's sphere of responsibility. This is where we generally protect against unacceptable and improper use, misuse, disclosure, alteration, loss and destruction and pursue the objective of ensuring sufficient availability of information and information processing equipment such as servers.

Secure and responsible handling of data is our core business
Secure and responsible handling of data is our core business and a particular sensitivity in handling information is essential in our daily business.
For this reason, atrify has decided to certify this approach and has established an Information Security Management System (ISMS) in accordance with the international standard ISO/IEC 27001:2013.  

Our path to ISMS
atrify, formerly 1WorldSync, had already been using an existing ISMS for several years.
In the course of the re-establishing atrify, the company management asked me whether I would like to take on the role of Chief Information Security Officer (CISO), adapt the ISMS to atrify and, above all, align it with the agile corporate philosophy. Information security has always interested me as head of our internal IT department and I have worked with my team for many years to ensure that appropriate ISMS processes are adhered to exactly. With the confidence placed in me to build an "atrify-like" ISMS, I gladly accepted the challenge.

atrify ISMS scope
An information security management system that manages all customer information under the control or ownership of atrify GmbH and hosted in atrify facilities. The scope of the ISMS includes the facilities, technologies and processes used by atrify GmbH in its European facilities to process, manage and deliver product content to its international customers. In addition, the scope is defined to take into account the external and internal context of the organisation, the requirements of interested parties, such as customers and regulators, and the boundaries with third parties.

ISMS milestones
Before things really got going, I underwent extensive training and sought external support. It was important for me to find a company whose ideas for operating an ISMS were as close as possible to ours. We made a GAP analysis of the existing documentation and processes and based on this we created the necessary milestones to create a certifiable ISMS. ISMS milestones:

  1. Definition of the context
  2. ISMS leadership
  3. Planning the ISMS
  4. ISMS support
  5. ISMS operation
  6. Performance assessment
  7. Improvements
  8. Implementation of measures up until ISO certification

Audits
For the initial certification according to ISO/IEC 27001 two audit stages are necessary. In audit stage 1 checks are made to see whether the existing ISMS is certifiable and whether we are approved for audit stage 2. In audit stage 2, checks are then made to verify if the company's own guidelines are being observed and applied.

We successfully completed audit stage 1 in December 2019. Our ISMS was recognised as certifiable. Audit stage 2 was carried out in mid-January 2020. Over three days interviews were conducted with atrify employees from various departments and an inspection of the Cologne site was conducted. As a result we received positive feedback on our ISMS.

Done: atrify is ISO/IEC 27001:2013 certified
Subsequently, the certification recommendation including all relevant documents was forwarded to the German Accreditation Body (DAkkS).

I believe that we have adapted the ISMS very well to our new organisation. We have created a very, very solid basis which we are now building on and which we are constantly improving – in line with our agile organization. For me personally, the project was a complete success. I am sure that information security at atrify will be followed to the highest standards on an ongoing basis.

Update 2022:
We have also been ISO/IEC 27001:2013 certified in 2022.

Download for the current certificates in German and English.

 

Benjamin Herzog

Benjamin Herzog

Benjamin has been an integral part of the atrify family since the beginning of 2014, where he holds the roles of Chief Information Security Officer and the Director Internal IT & Security. He and his team ensure a competitive IT infrastructure and the organizational and technical implementation of measures to secure customers and internal information.

More articles in the atrify Info Hub