Secure Your Business

case study sme:
ISO 27001 in small and medium-sized enterprises 

  • Risk management, people awareness, utilizing synergies
  • A strong signal for confidence and an asset in competition
  • Advantages for Euro-SOX and Sarbanes Oxley

The market speaks a clear language: Evidence of information security is explicitly being required

by more and more customers. The way how the International Security Standard ISO 27001 can be implemented efficiently in small and medium-sized enterprises is shown by three case studies: Selected Services (software), Fabasoft and CQR Payment Solutions were successfully certified acc. to ISO 27001 and report about their way from implementation to certification. ISO 27001 can be used independently from the size. Risk analysis helps to show the specific need for action. Thus small and medium-sized enterprises profit from a lean effective system. 




Evidence of information security is explicitly being required by more and more customers.



Interview with CQR Payment Solutions – 90 employees
Interview with Fabasoft Group – 200 employees
Interview with Selected Services Ltd. – 50 employees 




Mr. Eckel, what were the motives for establishing information security acc. to ISO 27001?


“We wanted to give a strong signal for confidence. Outsourcing of all the payment transactions is

a topic implying confidence. The ISO 27001 Certificate turns CQR into a pioneer in the sector, which is received by our customers very well.”

  • Were defined processes in place, or was this step new territory?

“CQR had already defined processes according to the Industry Standard ‘Payment Card Industry Certification’. The contents of the requirements overlap with those of ISO 27001 so that we could utilize synergies. PCI focuses on the technical aspects. As for ISO 27001, we can profit from the security organization, awareness actions and security processes that do not only cover credit card data but also all the sensitive information.“

  • What internal benefits does the company draw from ISO 27001?

“At CQR, many processes had been defined even before certification acc. to ISO 27001. However, implementation of the information security management system (ISMS) has helped us to create a uniform structure. We are a dynamic company with a strong growth and constant changes – also as far as the number of employees is concerned. Therefore, the fact that we won traceability of our activities and processes is a big advantage. All the change processes, which range from the new user to the new software, are regulated by change and configuration management.”

  • What strategy have you pursued for implementation and certification?

“During the six-month implementation phase, we have entrusted a consultant with helping us to correctly interpret and efficiently deploy the requirements placed by the standard. As for the topic of risk management, we had in-house knowledge due to the sector. Besides, we could consult the Security Department of the mother company. Compiling documentation was hard work. On the other hand, ongoing expenditure for operating the ISMS is minimal now. On the whole, we rate implementation of ISO 27001 as being a profit – it is a question of requirements which should be implemented, at any rate, sooner or later. After this positive experience, it also is planned to have the mother company bwin, which has several thousand servers, certified in order to improve the internal processes even more.“

  • What advantages does ISO 27001 yield when it comes to complying with Euro-SOX?

“As a public-interest company, CQR is subject to the requirements placed by the 8th EU Directive, which specifies the introduction of an internal control system. We can directly derive the Euro-SOX aspects relating to IT and information security from ISO 27001. In order to review the internal control system and risk management system for effectiveness, balance sheet auditors

will have to use “international standards” as a scale acc. to Article 26 of the 8th EU Directive.

In this respect, documentation of the IT and TK infrastructure is an important aspect.”


“A critical aspect refers to the issue of management responsibility. Without demonstrable documentation, there is personal liability of management. Then the organization can be punished for being at fault. It is also before this background that our ISMS acc. to ISO 27001 plays a crucial role. The Certificate issued by such an accredited body as CIS is a document recognized federally and demonstrates an organization’s IT conforms to international standards. Thanks to a management system certified acc. to ISO and demonstrably translated into action, the documentation duty required in Euro-SOX is fulfilled automatically. Therefore, the decision-makers are largely saved personal liability.”




Mrs. Daghofer, what were the motives for establishing information security acc. to ISO 27001?


“As a service provider, we keep sensitive and business relevant data of customers. This data needs to be protected – demonstrably, by means of certification. Confidential paper can be stored in the safe. As for complex data protection with digital, analog and mental information – which is saved centrally, locally, in a mobile manner and in the employees’ heads – ISO 27001 acts like a safe. An effective system with a structure and control mechanisms. The Certificate also is an important basis for future Software-as-a-Service (SaaS) services.“

  • What area of the company has been certified?

“The headquarters in Linz, which has 150 employees and centrally accommodates the computing centre and software development, has been certified. It is thought about extending certification acc. to ISO 27001 to other locations. This might become particularly interesting in the US. For service providers of US companies that are subject to the SOX duty have to undergo SOX Audits themselves. Thanks to ISO 27001, the part of Sarbanes Oxley relevant to IT and security already is covered.“

  • What competitive advantages can you draw from the Certificate?

“We give a sign and present the ISO 27001 Certificate on our homepage, on customer events and enclose it at requests for quotation. Thanks to its profound expert knowledge, CIS as a Certification Body has a good reputation in the sector.”

  • Were defined processes in place, or was this step new territory?

“We are certified acc. to ISO 9001 throughout the company group and could integrate ISO 27001. Even IT and security processes had also already been defined. We had largely already lived according to the requirements placed by ISO 27001. Therefore, it was a logical step to make this visible by means of certification. We could implement the overall system without a consultant within eight months.”

  • What were the items that still had to be elaborated?

“Documentation and the Manual were refined. An exciting aspect was people awareness. In this respect, we can state that our Managing Board acts as a role model by being highly enthusiastic and committed in terms of this topic. New employees go through our Academy, where information security has become a fixed part. Furthermore, an internal Security Guideline was sent to the employees in a Newsletter. This has strongly triggered discussions. This means mouth-to-mouth propaganda has helped us to raise awareness.


In addition, we have posted changing posters with such security slogans as “Don’t give thieves a chance” or “Take the receiver” (in order to report incidents). And last but not least, articles about ISO 27001 are being written in our internal Wiki more often and often. For example quite recently an article about saving of hard disks with cross references to the standard.“

  • How have you implemented risk management acc. to ISO 27001?

“In studies at home using literature and internet investigations. Besides, the IS Manager Training offered by CIS provided us with relevant documentation. The big challenge was to compile risks and actions. It was a matter of systematically acquiring the “puzzle parts”. This gave us a valuable overall view and made us confident we would not overlook any risk and take along any doublets. The following has proved to be a useful process for creation: recording risks in writing, discussing them and making a choice; only then defining actions; this helps to prevent the system from being overloaded.”

  • What method have you used for risk analysis?

“The qualitative method ALARP (as low as reasonably practicable). This method has convinced us because of its simple approach. In the formula ‘Likelihood of occurrence x Effect = Risk’, no monetary values are used, which would be possible in case of damage done to the image, but “school grades”. The results will be represented graphically as a matrix according to the traffic-light system red-green-yellow. In order to be able to measure the effectiveness of the actions, we have directly linked our strategic system of indicators with risk management.”

  • Do you have a suggestion for implementing ISO 27001?

“Thinking about time buffers and going back one step again and again in order to have a look at the system as a whole. The tightrope walk is as follows: as much as necessary, as little as possible. An overloaded system won’t be translated into practice. The system must be lean and efficient.”




Mr. Rösch, what were the motives for establishing information security acc. to ISO 27001?


“For us as a provider of web based rental software, information security is a business need. This means it is not only particularly topical in automotive industry. One of our customers, a big subsupplier, explicitly required certification acc. to ISO 27001 from us – in a foresighted manner while the customer was still heading for implementation.”

  • Were defined processes in place, or was this step new territory?

“Implementation was easier and faster than expected. This was particularly due to the fact that we already had processes conforming to SOX because of our business relations with a company listed on the US Stock Exchange. The contents of the requirements placed by ISO 27001 and Sarbanes Oxley overlap. Therefore, we could directly build implementation of ISO 27011 upon the processes already defined.”

  • What strategy have you pursued for implementation and certification?

“For efficiently implementing the standard, we have availed of the services provided by a consultant. We implemented analysis of the processes, revision of documentation, conduct of a risk analysis as well as classification of documents with external help. This has enabled us to cope with implementation within one year. The whole location in Vienna with software development, support and administration was certified. For preparing for the Certification Audit, we availed of a Stage Review made by CIS. Obtaining certification right at the first attempt is extremely important for motivating the employees who are to durably ‘live according’ to this system.”

  • What internal benefits does the company draw from ISO 27001?

“Complete documentation of all processes creates transparency for the whole company. Thus critical questions, such as the way to handle leaving of employees, are clearly regulated. The Incident and Change Management within ISO 27001 has helped us to improve our support processes and optimize all the workflows behind as well as the use of trouble tickets. Thus we profit from the increased efficiency and the clear processes. Our customers feel this because the response and cycle times are shorter when processing requests. Therefore, it also was important to us to seal the introduction of ISO 27001 with a Certificate in order to make internal optimization of our processes visible even to our customers.”

  • And the advantages over the competitors?

“Standardized processes that are recognized and reviewed by the independent Certification Body CIS are a concrete competitive advantage on the market: In the last year, our customers’ demand for certification acc. to 27001 increased significantly. The Certificate gives our customers the certainty to have a reliable partner.”

  • How have you implemented risk management acc. to ISO 27001?

“The field of risk management was a new territory for us. Therefore, we implemented this aspect by using a consultant as a coach. The priorities were contractual issues, issues relating to liability and other legal issues. For failure proofness was already covered by the SOX requirements.”

  • Is certification acc. to ISO 20000 planned as well?

“Yes, this is being planned, namely as an integrated system with ISO 27001 so that synergies

up to combined audits can be utilized at operation. POOL4TOOL already models processes conforming to ITIL by means of its own Ticketing Module. ISO 20000 makes it possible to demonstrate conformity to ITIL by means of a Certificate. Therefore, we are striving for certification acc. to ISO 20000 – still another competitive edge in the international competitive struggle.”

CIS - Certification & Information Security Services T +421 55 677 0156 office.sk@cis-cert.com Imprint