We have successfully upgraded our information management system to the new version 2022 in accordance with ISO 27001. The international standard ISO 27001 describes the requirements for establishing, implementing and maintaining a documented information security management system (ISMS) and its continuous improvement. The standard also describes requirements for assessing and dealing with information security risks.
Successful ISO 27001 migration In this year’s re-audit, the auditors certified our effective implementation of the new requirements, which include the following:
- Information about threats should be collected and analyzed in order to gain insights.
- Data leaks should be prevented on systems, in networks and all other devices.
- Networks, systems and applications should be monitored for abnormal behavior.
This behavior should be analyzed and evaluated. - There is an even clearer call for the principles of secure coding to be applied.
Make a virtue out of necessity These measures are not only important for us, but also for our customers.
Accordingly, we not only see it as a requirement for our ISMS, but also anticipated months in advance that it is or will be a requirement of our customers.
As a result, our Digital Security Competence Center has been focusing on these controls and answering questions since 2023:
- How can we better prepare our solution for these requirements (and much more: the dangers behind them) right from the start?
- What complementary solutions are needed by our customers?
- Where and how can we help our customers with advice on the successful implementation of these controls?
As a first step, the Competence Center has once again taken a close look at the topic of secure coding and thesecure software development lifecycle.
We have developed and rolled out a new version of our secure design and coding principles.
We have also defined clear security gates (in addition to our quality gates), which ensure that security is considered in a targeted manner from requirements analysis through to operation and maintenance.
A further improvement was made in the context of dependency checks – i.e. security checks of external libraries, for example.
external libraries, for example.
In future, all application-specific software bills of materials (in simple terms: inventory lists) are to be merged into a common one in order to make vulnerability management more efficient and ensure a secure supply chain for us and our customers.
In many of our projects, our responsibility lies in the development of individual applications, which are then operated by the customer in the target system.
A conventional approach is that it is the responsibility of the target system to detect data leaks and conspicuous activities.
We want to share this responsibility.
In our Competence Center, we are working on design proposals for how we can enable the application itself to detect data leaks and prevent conspicuous activities.
Furthermore, we have provided a platform for the Competence Center and our projects that makes it possible to collect, analyze, correlate and share information on threats.
MISP is an open source solution with a large community.
This platform is a central component of our threat intelligence efforts and forms the counterpart to our threat modeling expertise.
Here we collect events and information from various external and internal sources, correlate them and thereby gain new insights into the threats (against us and against our market).
This not only enriches vulnerability management, it also goes far beyond vulnerability management.
It is also about understanding where motivations, intentions, capabilities and opportunities lie, and thus gaining a more reliable picture of the attack surface.
It goes without saying that these measures are not only useful if you are aiming for ISO certification.
Rather, they are part of the standard repertoire of information security.
Westernacher Solutions not only offers maximum application security, but also provides you with many options for a holistic view of the information security architecture in an organization.
In the spirit of “Go Digital. For Sure!”
Your contact person
Tobias Müller
Competence Center Lead Digital Security