Prototypes, drawings of customers, price lists of components, restrictive provisions in contracts with counterparties, access to customers’ portals, a five-level classification of information, computers supporting production machines, control of access to the premises of a plant, a manufacturing network, mobile devices, entrusting data to suppliers/subcontractors, the company’s image, awareness among production employees, designing, prototyping, monitoring, a laboratory, a business continuity, know-how, technical documentation, competition… Maflow faced these challenges during the project of implementation of the information security management system (ISMS) compliant with ISO/IEC 27001.
Maflow, one of the leading manufacturers of hoses for air conditioning systems, power steering systems and active suspension systems for the automotive industry, has been a regular supplier for major automobile companies for many years. The company has nine plants located in seven countries on three continents.
Why ISO 27001 in the automotive industry?
VDA – this abbreviation is well known to all suppliers of the Volkswagen Group, BMW, Ford, Mercedes, and other car brands. Verband der Automobilindustrie (VDA) – German Automotive Industry Association is an organization with more than a hundred years of history and a very good reputation, bringing together more than 500 companies employing a total of over 700 thousand employees. VDA focuses its activities on the standardization, development and research in the automotive industry. Members of the association are not only the companies having their plants in Germany and producing the final product, but first of all, all manufacturers/suppliers of parts and components for the automotive industry.
The suppliers that want to cooperate with the biggest car manufacturers are obliged to meet the requirements of VDA. One of them is the protection of prototypes and Customers’ data. This protection is comprehensively provided by ISO 27001 (see www.vda.de/en/downloads/693/, Prototype Protection – The framework requirements for product security were drawn up on behalf of the VDA Working Group “Integral Information Protection with IT Security, Prototype Protection and Risk Management”. These requirements are intended to act as a basis for product protection in the German automotive industry and to complement the requirements set down in ISO 27001).
The ISO 27001 Standard has one more huge advantage – especially important for companies that like Maflow, cooperate with Volkswagen or Audi. These manufacturers consider a valid ISO 27001 certification as a proof that the supplier properly protects the information entrusted to it. And this, in turn, exempts the supplier’s company from a costly audit carried out by WV and Audi.
In symbiosis with other systems
In Maflow, the implemented standard covered the Polish branch of the company: a plant in Tychy and two plants in Chełmek. The work started in November 2013 and ended in July 2014.
The ISO 27001 implementation project began with defining its objectives and identifying the processes, which were then covered with the information security management system (ISMS). In addition, it was necessary to take into account the integration of ISMS with other management systems in the company, including ISO/TS 16949.
The ISO/TS 16949 standard – requirements regarding the quality system for the products in the field of designing or development, production, installation and maintenance in the automotive industry – it also imposes information security obligations on the supplier. Sample sections of this standard are as follows:
- 4.2.3.1 Technical documentation;
- 4.2.4.1 Record keeping – The supervision over records should comply with the laws and regulations as well as customer requirements;
- 7.1.3 Confidentiality – The organization should ensure the confidentiality regarding the products ordered by the customer and projects developed to the customer’s order, as well as related product information;
- 7.3.6.2 A prototype program – If the services can be performed outside, the organization should be responsible for them, including for the technical management;
- 7.5.4 Customer’s property – It may include intellectual property and personal data.
In Maflow, we treat the ISO 27001 certification as an investment in our security and the security of our customers. The operation of the company in accordance with this standard allows us to “sleep well" and to focus on the most important aspects of the business. Customers appreciate our commitment to security, which results in increasingly better cooperation in all fields and at all levels.
The Information Security Management System has allowed us to systematize and standardize many areas of the company’s operation. For Maflow, ISO 27001 means not only the procedures and technical safeguards. From our point of view, it was vital to build among Maflow employees the belief that the information security has an important role. I am glad that now this awareness is shared throughout the organization, because the system does not concern IT only. We often forget that IT is an important, but not the only area in which the care for the information security is of great importance.
I appreciate the commitment and professionalism of the team of BCC. In the future, we will continue to benefit from their support. Now we focus on maintaining the certificate and making the standard “well-established" in our units, however further development of the system is the next step, which is for us an obvious consequence of the first one.
Bartłomiej Irczyk, IT Director, Maflow Group
Phase by phase
Following the establishment of a project team and an information security management forum (ISMF), the scopes of their duties were determined. The project schedule is divided into four phases.
In the first phase, the following products were prepared:
- a pre-audit report,
- system procedures,
- an information security policy,
- the scope of ISO/IEC 27001 ISMS,
- an ordinance establishing the ISMS forum,
- an ordinance appointing a representative of ISMS,
- a training plan.
The deliverables of the second project phase are:
- a procedure of classification of information and assets,
- templates of identification of information and assets,
- a risk management procedure,
- a risk matrix,
- a risk treatment plan.
The third phase included the testing of processes through audits, corrective and repair actions in individual Maflow units covered by the implementation, as well as the presentation and training of all members of the organization in ISMS (training in the use of the implemented system). The deliverables of the third project phase are:
- a declaration of applicability,
- operational procedures, policies and instructions for individual domains:
- A.5 Security policy,
- A.6 Security organization,
- A.7 Asset management,
- A.8 Security of human resources,
- A.9 Physical and environmental security,
- A.10 Management of communication and operations,
- A.11 Access control,
- A.12 Acquisition of information systems, their development and maintenance,
- A.13 Incident management,
- A.14 Business continuity management,
- A.15 Compliance with law.
In the fourth, last phase of the project, the following documents were prepared:
- a plan of internal ISO/IEC 27001 audits,
- a report on internal ISO/IEC 27001 audits,
- certificates of an internal ISO/IEC 27001 auditor,
- training plans and evaluations,
- an ISO/IEC 27001 review report.
The culmination of the project was the certification audit, which took place on July 22-25, 2014. The audit was conducted by the certification body TUV Nord Poland. The ISO 27001 certification proves to the customers of Maflow that the company applies a strict information security policy, and the care for the sensitive data entrusted to the company is a priority.