Basic analysis for information security

Essener Systemhaus (ESH) is the IT service provider for the Essen city administration and municipal affiliated companies. ESH looks after over 17,000 IT workstations at over 500 locations in the city. These include all departments of the city administration, more than 200 schools, all municipal day-care centres, the utility companies Stadtwerke and Ruhrbahn, Messe Essen and many other affiliated companies.

ESH commissioned secunet to jointly establish an information security management system (ISMS) - as part of an implementation project. The certification proves the quality of the work and confirms conformity with ISO/IEC 27001:2013.

The first step within this project was to take stock of the current level of information security (IT organisation and technology) in the form of guided interviews conducted by secunet.

The scope of the ISMS includes:

• the housing as well as the management of the central data centre of the network including the decentralised infrastructure components,
• the necessary processes for personnel, accounting and procurement management
• as well as the connection to the federal network

Following the provisions of the definition of the security policy and the ISMS organisation, ISMS processes were identified, sets of rules were drawn up and released and publicised within the organisation. The subsequent risk analyses were first carried out under secunet's guidance and then independently by the employees. The employees of the ESH were familiarised with their own ISMS by secnet within several training blocks. In March 2022, the ISMS was successfully certified in accordance with DIN ISO 27001 by an auditor from TÜV Rheinland. The ESH is currently working on determining the maturity level and setting up a continuous improvement process (CIP).

The project was successfully completed within the timeframe with ISO/IEC 27001 certification. Building on this, secunet will support ESH in the continuous improvement of its ISMS.