How do you establish an IT security management system?

Our Group was recently successfully audited and certified in accordance with ISO 27001. Read here in an interview with Dario Stöckli, CISO at the Aebi Schmidt Group and project manager for the ISO 27001 certification, about the challenges of such a project, success factors and what the future holds for the newly certified IT security management system.

Dario, what was the biggest challenge in the project for you as project manager? 

Definitely stakeholder management. Identifying, analysing and managing the tasks, requirements and expectations of all the different guidelines and teams, as well as individual colleagues, while also ensuring that everyone has the same understanding and the same level of information, is a huge challenge.  

Did you have to struggle with resistance? 

No, on the contrary. We started regular Group-wide awareness training a few years ago and this work is bearing fruit. I had the impression that everyone understands that we have to do the maximum possible to guarantee data security in the best possible way. Discussions on how to achieve this best have always been a balancing act, where not everyone always shared the same opinions. One or two processes seemed to work on paper, but the experience of the colleagues involved revealed the weaknesses in practical application. In order to ultimately establish functioning processes, agility and openness were required from everyone involved during the implementation phase. 

What are you proud of? 

We were able to successfully set up and operationalise the information security management system within a relatively short period of time. This also shows that we as a group really take the issue of information security seriously, both technically and organisationally.  

What were the critical success factors here? 

Well, the organisation, and in particular the management, has clearly given the certification project a priority. This is not a matter of course, as there are always many priorities. However, we have succeeded in explaining the intention and importance of the project to all stakeholders in an understandable way. 

Processes are known to be alive. What happens now? 

I am firmly convinced that we have laid an important and solid foundation with our information security management system. In the context of such systems, one of the things we talk about is the maturity of a system. In the future, it will also be important to continuously increase this maturity and thus security overall on a daily basis, because ultimately the secure operation of our information systems and data security are a key component of an organisation's long-term success.

> Read more about the Aebi Schmidt Group's ISO 27001 certification 

Dario Stöckli, CISO Aebi Schmidt Group
Dario Stöckli, CISO Aebi Schmidt Group