CONVOTIS has received the ISO 27001 certification. Nikola Dinic, Group CISO talks about the challenges and benefits that come with the certificate.

 

Dear Nikola, congratulations on the successful re-certification of CONVOTIS in Vienna and Hamburg. Together with your team, you were instrumental in this success. What is the significance of this certification?

Obtaining this certification illustrates the high quality of the safety practices applied and thus improves the company’s reputation. It strengthens the relationship with our customers and gives us a significant competitive advantage, opening up new business opportunities.

ISO 27001 certification requires regular reviews and internal audits of the ISMS, which are repeatedly checked by external auditors. Independent experts evaluate the functionality of the ISMS as well as the level of security concerning information of the organization and its customers.

 

For an international group like CONVOTIS, what are the benefits of being ISO27001 certified?

In addition to the benefits already mentioned, the relevant security measures become more structured and focused. Especially fast growing companies, like CONVOTIS, can increase their productivity with the help of the ISO 27001 standard, as responsibilities for information risks are defined. Last but not least, certification provides a globally recognized indication of security effectiveness, which eliminates the need for repeated customer audits and thus creates substantial cost savings.

 

How did the re-certification process go at CONVOTIS? What were the biggest challenges during the journey?

Our biggest challenges were primarily in the area of standardizing or harmonizing the heterogeneous IT infrastructure and relevant information security processes that support or depend on it. We also put a strong focus on risk management to improve our risk identification, contextualization and mitigation.
This area was rated as highly critical by our CONVOTIS Security team, especially in the context of an innovative industry and the daily threats to the business. Great efforts were also made in the area of asset management, which should not be underestimated.

 

What advice do you have for customers facing a similar certification?

This is an exceedingly complex question. There are many factors that affect scope, process maturity and audit results that need to be kept in mind. The company has to withstand various risks.

But I would like to emphasize the following points, as they can be applied regardless of the company:

  • Certify at the right moment. REGARDLESS of whether your company has recently suffered a data breach or is simply assessing the risks, committing to ISO 27001 certification is always the first and most important step.
  • Familiarize your team with the process as early as possible. Educate them about protecting customer data and improving corporate health. This will increase your company’s interest in data security and clarify the value, processes and goals of ISO certification.
  • Don’t underestimate the scope of your organization’s ISMS. By determining what your organization’s ISMS should include and cover, you simultaneously structure your system The scope focuses on dependencies and interfaces:
    Dependencies are outside the organization and include third-party services, such as accounting. Once these are identified and eliminated, focus on interfaces. This includes all endpoints within your network, such as the router, as well as higher-level interfaces such as employees and processes.

 

How does the re-certification affect the security portfolio of CONVOTIS?

The re-certification process has shown us the importance of synergy effects in the area of information security. Specifically, this involves the exchange of know-how between our entities, joint project management activities at our customers, as well as the increased use of uniform security tools at the group level.

For the period 2023-2024, we are aiming for Group-wide, uniform ISO 27001 certification in the compliance area across all entities and sites.