ISO 27001:2013 can be understood as a business driver to comply continuously with the consumers’ and customers’ expectations of “continuous service availability”. Using standardized processes helps achieve this goal more cost-effectively and reliably while also meeting legal requirements at the same time. HiSolutions supported HERE in implementing an ISMS for all relevant assets at locations in USA, Germany, India and Finland.
Scope
The scope of the ISMS encompassed the HERE Core Platform operations, including onboarding, operations and maintenance of services providing maps and map-related functionality.
Additionally, all relevant HERE assets, such as infrastructure, IT, human resources and suppliers at all data centers managed by HERE at various locations across Europe and North America, were included.
The scope also incorporated the management and provisioning of purchased services, such as external support services, which rely on the HERE cloud.
Challenges
The ISMS implemented at HERE was designed to ensure information security, privacy and high availability of the HERE Platform, which is developed and operated by the three HERE business groups.
Remote and mobile working had to be taken into account in the ISMS asset and risk management. The business processes in the scope were not specific to any single HERE location, but globally applicable across all HERE sites. These processes allow HERE employees and subcontractors to log in to the HERE network and systems from outside of the physical HERE premises, allowing for mobile work.
In order to process and deliver map information in real time, the use of cloud computing is essential for HERE. The HERE Platform must achieve high availability, handle
unpredictable growth and supply global geographic coverage. An in-house cloud computing platform is available for services processing high-value HERE information, but to keep costs at acceptable levels and to stay focused on providing business value through services, HERE relies heavily on outsourced cloud computing resources.
Implementation
HERE defined and documented its policies concerning the standards, processes and structures in use, as well as the risk management approach and risk reduction plans.
The integral controls of the HERE ISMS are based on the following components:
- Communications (Information and Communication) - The policies have been communicated to responsible parties and authorized users of the ISMS
- Procedures (Control Activities) – operation procedures are in place for the HERE ISMS to achieve objectives in accordance with its defined policies
- Monitoring – HERE monitors the ISMS and takes action to maintain compliance with the defined policies.
Results
HiSolutions implemented a streamlined ISMS for HERE, as well as improved all ISMS processes, without losing sight of the requirements of the standards.
All ISMS stakeholders were successfully prepared, regardless of location, through targeted trainings tailored to the certification situation, in order to avoid risking the success of the certification.
The new information security policy states that information security, privacy and high availability are key considerations in the creation, delivery and support of HERE products and services. Their purpose is to maintain the competitive edge, cash-flow, profitability, legal, contractual and regulatory compliance and commercial image of HERE.
In particular, a structured approach, from Asset to Risk to Audit Management, aided in creating a transparent ISMS across multiple locations, with individual measures corresponding to the controls found in Annex A.
The “system” in the ISMS refers to the people (individuals working for HERE), processes (roles and responsibilities) and technology (hardware and software) needed for creating, handling, storing and disposing of HERE business information, regardless of physical or geographical location.
The HERE ISMS qualifies now for ISO 27001:2013 and similar certifications, and also provides a good foundation for other certifications that HERE may requires.
Information about HERE
HERE is a leader in navigation, mapping and location technology. HERE enables real-time location applications and experiences for consumers, vehicles, enterprises and cities.
The location technology from HERE is based on a cloud-computing model, in which location data and services are stored on remote servers and can be accessed by users across devices.
Built on 30 years of experience in cartography and drawing on more than 80,000 data sources, HERE offers maps for more than 190 countries and voice guided navigation in over 50 languages.;
HERE employs 7,000 people in more than 56 countries, with major development sites in Berlin, Chicago, Boston and Sunnyvale.
Our customers opinion
„The ISO 27001 certification was an important milestone for HERE. Knowing that HiSolutions had successfully helped other organizations to set up an ISMS we wanted to hire them for the job and we were not disappointed. The project resulted in an ISMS embedded in the company processes and ways of working so our internal team can confidently maintain the certification.“
Diego Baldini
Chief Information Security Officer; HERE
About HiSolutions AG
HiSolutions AG with headquarters in Berlin is one of the most prestigious consulting companies for security consulting and ITSM in Germany.
HiSolutions combines highly specialized know-how in the fields of information security and IT consulting, together with profound process expertise in various industries and in public administration at a local, state and federal level.
HiSolutions has been actively involved for a number of years in research and teaching.
HiSolutions is additionally involved with improving standards in IT Security, developing in 2013 a simplified implementation of the recommended requirements for BSI IT Baseline Protection Standards Blocks B3-101 (General Servers) and B3-109 (Windows Server 2008).