Information security is a must today - as evidenced by the daily news of cybercriminal attacks on organizations of all sizes and in all industries. Small and medium-sized enterprises in particular, but also many large companies, still do not have suitable protection for sensitive data and information against unauthorized access. The software service provider ENTERBRAIN is a good example of the successful implementation and application of an effective information security management system. Read the interview with Christian Körner, Head of Operations, and the ISO 27001 case study.

An ISO 27001 case study - ENTERBRAIN relies on certification

Based in Offenbach, Germany, ENTERBRAIN Software GmbH is one of the leading fundraising software providers in Europe. The organization's software solutions support non-profit organizations in managing their donations and members. Among other things, these software solutions are used to manage personal data and payment details. The protection of this confidential information as well as its integrity and availability are top priorities for the software provider and its customers - also with regard to legal aspects.

The information security management system, which has been certified in accordance with ISO 27001 since 2019, provides a comprehensive practical framework for this. It ensures the confidentiality, integrity and availability of information - the three protection goals of information security. The established management system defines binding processes, roles and authorizations and systematically reduces information security risks, while at the same time creating trust with customers and business partners.

Positive practical experiences with ISO 27001

Thanks to the active use of the management system and the associated continuous analysis and evaluation of threats, ENTERBRAIN is very well positioned in the area of information security and data protection. There is comprehensive documentation of all objects of protection in the company. In addition to this, applicable guidelines, technical instructions and organizational rules are defined to close security gaps.

The systematic approach creates good transparency about the threats and processes required to close security gaps. Regular awareness training courses sensitize all employees in the company to the enormous importance of information security.

In practice, the management system for information security has already proven its worth many times over. Especially thanks to the regular employee training. In 2020, for example, the spread of a new version of the Emotet* virus was prevented in the organization.

* Emotet = family of computer malware (macro viruses) that are sent by email

Thanks to the early detection of the threat by a service employee, the worst was averted. The new virus variant was not detected by any virus scanner software solution available on the market at the time.

During the incident, ENTERBRAIN received an infected email from a customer, which was initially opened by the employee, who reported the incident immediately. As a result, the emergency team was activated and the incident was dealt with in accordance with the company's security emergency manual. Thanks to the employee's quick and conscientious reaction, the affected computer was isolated and the virus was prevented from spreading in the internal network. An IT forensics company was called in to additionally investigate the virus variant and the network and provide support.

Portrait of Christian Körner Managing Director of Enterbrain Software GmbH in Offenbach
Loading...

Our ISO 27001 certification provides effective protection for our information, data and business processes. At the same time, the analysis and evaluation of all business processes and objects of protection creates transparency in these company-relevant areas.

Christian Körner Head of Operations at ENTERBRAIN Software GmbH

Information security as the foundation for success and trust

For the fundraising software provider and its customers, compliance with regulations is an essential part of business activity. Compliance with data protection and the compliant behavior of all company employees are the basis for trusting cooperation with customers and partners. Due to these requirements, the company is certified in accordance with the internationally recognized ISO 27001 standard for all services offered.

Although full certification for all services is significantly more complex than certification for a single business unit, the higher level of information security pays off for the company. On the one hand, this means that information security management with all its benefits is in place for all business units, and on the other hand, ENTERBRAIN enjoys a competitive advantage over other market players that do not have ISO 27001 certification.

In addition, the topic of compliance is generally gaining in importance, so that many organizations also have requirements for cooperation with an ISO 27001-certified company.

The transparency gained provides the company with an excellent starting point for process optimization to increase customer satisfaction and efficiency within the company. Business-critical processes and areas are also clearly defined and can be made more secure through targeted risk minimization.

audit-dqs-shutterstock-1289761507.jpg
Loading...

Certified information security management

Do you have any questions? We are here for you!

What costs do you have to expect for ISO 27001 certification? Find out for yourself. Without obligation and free of charge.

Interview with Christian Körner

Head of Operations at ENTERBRAIN Software GmbH

The benefits of an information security management system are one thing. However, for its certification and the associated annual surveillance audits, companies are dependent on cooperation with an accredited certification body. In this interview, Christian Körner talks about his experiences with ISO 27001.

DQS: Mr. Körner, you started out in information security with a system developed specifically for SMEs. When it came to switching to the ISO 27001 standard, a comprehensive upgrade was required - would this approach still be recommended today in view of the massive cyber threat to which SMEs in particular are exposed?

Christian Körner: ENTERBRAIN placed major focus on information security at a very early stage and thus took on a pioneering role. In our industry, information security is the foundation for success and trust. In the course of the accelerated digital transformation, the topic is becoming increasingly important.

Based on our practical experience and the increased cyber threats, we now recommend starting directly with ISO 27001 certification. The valuable thing about the certification process is the discovery of any security risks that can be closed or at least minimized thanks to the transparency gained. This contributes significantly to information security in the company.

DQS: With ISO 27001, you have laid the foundation for a recognized management system - can you still remember the first certification audit with DQS?

Christian Körner : During our first ISO 27001 audit in 2019, everyone in the company was pretty tense. Although we already had experience from the certifications of our first information security management system at the time, ISO 27001 was in a class of its own.

With hindsight, we have to smile a little when we think back to the first ISO 27001 certification. On the one hand, we were already very well prepared for the ISO standard back then; on the other hand, we could only benefit from the certification process as a company, as any nonconformity would have transparently shown us potential for improvement.

After all, our goal is to ensure and increase information security. We therefore always welcome information and recommendations for optimizing our processes. For any organization that is not yet certified, I can only  recommend this point. ISO 27001 certification should not be based on the desire for a certificate, but on an understanding of the enormous importance of information security in companies today.

DQS: During the subsequent surveillance audits, did you receive any useful and actionable tips from our auditor regarding potential for improvement?

Christian Körner: For us, the surveillance audits are an important part of certification and ongoing optimization, as the direct exchange with the auditor provides valuable information for implementation in practice, which is a great enrichment for us. At the same time, we have benefited from our auditor's comprehensive IT knowledge and understanding of the system over the last few years. In him, we have an experienced sparring partner who has a good understanding of processes and who keeps our company size in mind.

DQS: You have now successfully completed your first recertification, and you will soon be switching to the new version, that is ISO/IEC 27001:2022 - are you already in contact with DQS about this?

Christian Körner: Yes, we have already been in contact with DQS for several months and are preparing for the changeover. We are also in the process of coordinating a possible "Privacy Information Management System" extension.

DQS: Is there anything that DQS could improve in terms of cooperation?

Christian Körner: We are very satisfied with the cooperation. This is largely due to the experienced auditor, who supports us significantly in the continuous improvement of our system with his assessment.

DQS: Mr. Körner, thank you for the nice conversation and good luck with the transition to the new ISO/IEC 27001:2022!

Future plans and ISO 27001:2022

ISO 27001 is an internationally recognized standard for information security that was first published in English in 2005. The standard was revised in 2013 and was one of the first major ISO management system standards to be converted to the then new High Level Structure, which now makes it much easier to integrate into existing ISO management systems. A further revision was carried out in 2022, which focused on adapting the standard to the latest state of information technology.

ENTERBRAIN does not expect any surprises for the changeover to the new ISO 27001:2022, on the contrary: the company welcomes the revision, as the areas of data protection and cyber security in particular will be strengthened.

The company is currently analyzing the new measures and requirements and comparing them with the company-specific processes and circumstances. An evaluation of the interim results will then be carried out to determine the need for implementation - particularly with regard to the 93 controls in Annex A, some of which are new.

whitepaper-ISO 27001-faq-dqs-cover picture
Loading...

ISO/IEC 27001:2022

44 user questions and expert answers

"The new one" for information security: Useful details on the revised ISO 27001 from users and standards experts:

  • What's the deal with the new controls?
  • What needs to be considered with regard to process orientation?
  • When should we switch to the new standard?
  • ... and much more

ISO 27001 lessons learned at ENTERBRAIN - Conclusion

The implementation of an information security management system in accordance with ISO 27001 has proven to be a decisive step in strengthening the company's security strategy at ENTERBRAIN. The experience gained with ISO 27001 certification underlines the importance of a holistic approach that includes not only technical but also organizational measures.

The ISO 27001 certification not only improved the security infrastructure, but also significantly increased the trust of its customers and partners. Employees were made more aware of the importance of information security, which led to a culture of security throughout the company. Although the implementation was associated with challenges, the positive effects clearly outweigh the negative ones.

The conclusion from the experience with ISO 27001 is clear: certification is more than just a certificate - it is a continuous process that makes the company more resilient to threats and offers a clear competitive advantage.

ENTERBRAIN Software GmbH: Figures, data, facts

ENTERBRAIN provides non-profit companies with software solutions for mapping core processes in organizations. The core solution Brain 2.0, developed in-house, optimizes fundraising activities and also serves as a central CRM and ERP system for donation organizations(CRM = Customer Relationship Management, ERP = Enterprise Resource Audit Planning) . The browser-based solution "Enterweb" and the online donation tool "Enterdonate" complement the product portfolio with innovative web solutions.

  • Founded in 1992
  • Management: Michael Charbonnier (innovation) and Christian Körner (operations)
  • Number of employees: 17
  • Used by over 300 non-profit organizations
  • Volume of donations managed via the software solutions > 300 million euros per year

www.enterbrain.gmbh

Expertise and trust

The holistic, neutral view of our experienced auditors on people, processes, systems and results shows how effective your information security management system is and how it is implemented and controlled. It is important to us that you perceive certification in accordance with the ISO standard not as a test, but as an enrichment for your management system.

Our audits provide you with clarity. Our customers see this as an opportunity. For them, the independent auditor's feedback on improvement potential and possible risks is just as valuable as a DQS certificate as proof of their quality capability. To ensure that this remains the case, we pay strict attention to integrity and objectivity - you can read more about this in our audit philosophy.

dqs-question-answer-question mark on wooden cubes on table
Loading...

You have questions?

We're here for you.

How much effort do you have to expect for ISO 27001 certification ? We will be happy to inform you.

Get in touch with us.

No obligation and free of charge.

In the audit, we specifically ask "why" because we want to understand the reasons why you have chosen a particular way of implementation. We focus on potential for improvement and encourage a change of perspective. In this way, you recognize options for action with which you can continuously improve your management system. Take us at our word.

Please note: Our articles are written exclusively by our standards experts for management systems and long-standing auditors. If you have any questions for the author, please contact us. We look forward to talking to you. 

Author
André Saeckel

Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.

Loading...

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog
autonomous driving by a e-car, e-mobility
Loading...

ENX VCS versus ISO 21434: Vehicle Cyber Security Audit

Blog
Mixing console in a recording studio with sliders at different heights
Loading...

Configuration management in information security

Blog
a young woman sits at a desk in front of a screen with a reference to cloud storage
Loading...

Cloud security with ISO 27001:2022