Industry:

Consumer Goods Industry, Chemicals

Problem:

The listed company bases its information security policy on the internationally recognized ISO 27000 standard, from which necessary controls (risk-reducing measures) were derived – but this was not done uniformly for the entire organization. A comprehensive and continuous overview of the controls to be implemented and identified problems could therefore not be guaranteed. Subsequently, audits revealed that controls were insufficiently implemented and documented.

Project objective:

Compliance with the controls is to be reviewed regularly and identified deficits are to be eliminated demonstrably. The tool ServiceNow® GRC was used for the implementation.

Project procedure:

An agile and risk-oriented process model was developed to achieve visible project results at an early stage:

• Prioritization of the control requirements and assets to be considered and the formulation of the resulting controls,
• Grouping of the controls in waves depending on their prioritization,
• Roll-out of the controls into the GRC module of ServiceNow®,
• Implementation of further waves. These were also carried out in parallel,
• Initiation of regular checks on compliance with the controls: Identified deficits are documented and demonstrably eliminated,
• Implementation of awareness campaigns and training for the entire organization,
• Creation of the organizational and technical prerequisites, i.e. implementation of the SNOW GRC module and adaptation of the organization to the necessary processes.

Project results:

Weaknesses are discovered, documented and verifiably eliminated by continuous control checks. In addition, the findings from the review are used for adjustments and improvements to the IT control framework (continuous improvement process).