Guideline for Quality Management and Information Security
1. Scope of application
The satisfaction and security of our customers is our highest concern. This presupposes that our suppliers are also involved in the service provision process and commit themselves to compliance with our information security and quality management standards. The objective of this guideline is to clarify the requirements regarding information security and quality management. These are defined by the following standards:
TISAX (Trusted Information Security Assessment Exchange) Details: https://enx.com/tisax
Users of this guideline are all employees of cellent GmbH as well as all relevant external parties. This guideline applies to all affiliated as well as independent organizational units that belong to cellent or are integrated into its network infrastructure.
2. Information security: Basic concepts
Confidentiality - the property of information that it is not available or disclosed to unauthorized persons, entities or processes.
Integrity - the property of safeguarding information for accuracy and completeness of values.
Availability - the ability of information to be accessible and usable upon request. Information security - maintaining the confidentiality, integrity and availability of information.
Integrated Management System (IMS) - that part of the overall management process that deals with the planning, implementation, maintenance, review and improvement of information security and quality management.
3. Information security management
3.1. Policy, targets and measurement
The objectives of our Integrated Management System are:
- Ensuring customer satisfaction
- Compliance with the protection goals availability, integrity and confidentiality
- Compliance with legal requirements
- Preservation and protection of the image in the company
- Minimization of damage in the event of incidents that endanger safety
- Increasing the company's resilience
- Continuous further development through the implementation of improvement measures
- Compliance with customer requirements
- Expansion of order volume with new customers
- Acquisition of further services and projects from existing customers
These objectives are consistent with the company's business objectives, strategy and business plans. Top management is responsible for reviewing these overall objectives and defining new ones.
Action targets for individual security measures or groups of security measures are proposed by the Information Security Officer (ISO) and approved by top management. The following policy has been established to achieve the objectives of the IMS:
- Knowing and Understanding Customer Needs
- Optimize personal competencies
- Optimize the maturity level of our company
- Balanced price/performance ratio
- Ensuring economic stability
- Training of all relevant employees to secure the information security standard
- Reporting information security incidents to ISO or Internal IT
- Consideration of information security requirements in the work environment
Contact persons for information security issues are the Information Security Officer (ISO), the Cert Team of Internal IT and the ISMS Team with decision-making authority at management level.
This is achieved through the more extensive internal guidelines that are stored in the Integrated Management System.
3.2. Information Security Requirements
This policy and the entire IMS shall comply with both the legal and regulatory requirements and the contractual obligations governing the organisation in the field of information security.
3.3. Information Security Measures
The process for selecting measures (safety measures) is defined in the methodology for risk assessment and risk treatment.
The risk analysis is stored in the IMS and all risks listed therein are known to the highest management level.
The selected measures and their implementation status are stored in the IMS.
3.4. Structure of the safety organisation
The ISO is supported by the ISMS team on the following topics:
- Advising the ISO on overarching information security issues
- Development of security targets, security strategies and security concepts
- Review of the implementation of security policies
- Control and monitoring of security processes
- Designing training and awareness-raising content for information security
Furthermore, a CERT (Computer Emergency Response Team) can be formed if required. CERT consists of security experts who help to solve and prevent specific IT security incidents.
Both the ISMS team and CERT report directly to the Information Security Officer and report incidents.
3.5. Guideline communication
The top management level of the application area has to ensure that all employees of cellent GmbH as well as corresponding external parties are familiar with this guideline.
4. Support of the ISMS implementation
The Managing Director hereby declares that IMS implementation and continuous improvement will be supported with appropriate resources to meet all the objectives set out in this guideline.
This guideline was approved by the managing director and applies to all cellent employees and relevant external parties together with the guidelines and procedural instructions stored in the IMS.