February 20, 2024
aedifion has had all of its IT and business processes certified in accordance with the DIN EN ISO/IEC 27001 information security standard. The certification confirms that aedifion has established and implemented an effective management system to protect information in all areas of the company. Dr. Jan Henrik Ziegeldorf, CTO of aedifion, on the new information security management system (ISMS) and the relevance of the topic for the building management of the future.
aedifion has been ISO 27001 certified since December 2023. This confirms that the company has a high level of information security. What were your reasons for the certification?
Cyber security is a serious issue. In its 2023 status report, the German Federal Office for Information Security (BSI) refers to an increasing threat situation in the area of IT security, mainly through the use of ransomware. With our ISO 27001 certification, we have an effective tool to protect ourselves against attacks. We focus on the entire organization, including the workforce, as a central point in the defense against cyber attacks. At the same time, our management system forms an excellent basis for further certifications such as quality management in accordance with ISO 9001 or environmental management in accordance with ISO 140001. Our employees, in turn, benefit from individual training plans and clearly defined reporting channels. This creates satisfaction and prevents uncertainties in the daily handling of IT security issues.
How did you go about achieving certification?
The certification was implemented in a multi-stage process. The first step was to create all the guidelines and documentation required for the ISMS. In the subsequent implementation phase, we focused on targeted awareness-raising measures and training for all relevant stakeholders. These include employees as well as partner companies and customers. "DataGuard", an established SaaS company for data protection, information security, and compliance, professionally supported this process. A central, securely encrypted device management system for laptops, tablets, and smartphones also ensures secure, hybrid working while on the move or working from home. After six months of operation, the final certification was carried out by the accredited auditor "Infaz - Institute for Auditing and Certification". To ensure continuous compliance with the requirements until recertification in three years, we undergo a surveillance audit once a year. As a member of the BSI's Alliance for Cyber Security, we also want to help strengthen Germany's resilience to cyber-attacks.
What does the certification mean for your customers and partner companies?
Fortunately, our customers are also becoming increasingly aware of the issue. More and more companies are auditing their suppliers and service providers for IT security. ISO 27001 certification enables us to significantly shorten and accelerate the audit processes required for cooperation. But our own partner companies also have to meet specific security requirements. For example, when renting servers for our software solution, we only work with certified hosting providers in Germany or the EU.
Optimizing operations with the cloud platform involves handling various data from the technical building equipment. This may also include sensitive information, such as personal or security-related data. How do you ensure that this information is and remains protected at all times?
Our new management system addresses the three central basic principles of information security: confidentiality, integrity, and availability of information assets. The certification confirms that we fully comply with these principles in all areas of the company. By protecting sensitive information from unauthorized access, we are already making an essential contribution to the protection of personal or security-relevant data. However, data protection is not a sub-area of information security but must be seen as complementary to it. In order to meet this requirement in full, we comply with the provisions of the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). For example, we only commission data centers and service providers based in Germany or the EU to process our customer data.
Is this level of security also guaranteed if buildings outside Germany are optimized with the cloud platform?
Of course. The level of IT security we implement is entirely independent of the location of the optimized building. Our ISO 27001 certification ensures that our customers outside Germany and the EU also receive the high level of IT security and data protection that must be met here in Germany. Simply put, encryption knows no national borders.
What future developments or challenges do you expect in terms of cyber security in building management, and what recommendations do you have for owners and operators to strengthen their security measures?
With increasing digitalization and flexibilization, buildings will become an integral part of the future energy system. As so-called "prosumers", they not only consume energy but also actively generate it and adapt their consumption to the needs of the electricity grid and dynamic prices on the market. At the same time, investments in the implementation of AI-based solutions are increasing, for example, in the context of demand-based control of building automation based on weather forecasts or room utilization. All of this is only possible if buildings are optimized with a cloud platform. As data volumes and complexity increase, so do the security requirements. With its high standards, ISO 27001 certification offers a very good starting point for operating and optimizing buildings efficiently and securely in the cloud. We therefore recommend that owners and operators address the issue of IT security as early and proactively as possible by:
If we don't allow fear to guide us but take a proactive approach, then we have already gained a lot.
