Is an information security audit stressful – or an opportunity to reflect on the current threat landscape and proactively improve security measures? After all, it's not just about passing an exam, but about establishing a solid foundation for future success.
SSI Schäfer has extensive experience in this area. After all, these intralogistics experts work with valuable assets – whether handling physical inventory, managing automated systems, or monitoring data related to logistics processes. To ensure everything is protected, they would not only lock the entrance door but also install security cameras, restrict access to sensitive areas, and continuously monitor for potential threats. This multi-layered approach to physical security is also crucial for information security. SSI Schäfer relies on preventative and detective controls throughout its processes to identify and defend against hacker threats at an early stage.
K. Kysela
An important standard for structuring this approach, say Sari Leino, Information Security Manager in the Group Information Security Team since August 2022, and Karola Kysela, Information Security Manager at SSI Schäfer since October 2024, is ISO/IEC 27001, which provides a clear framework for an Information Security Management System (ISMS).
Access control
One of the first areas examined by the auditors is access control: Who has the authorization to access critical systems? Two fundamental principles are particularly important here:
- Employees only receive access to the information they need to perform their tasks.
- - «Segregation of Duties»principle: Critical functions are separated – e.g., a person may change supplier data but not authorize payments.
By using multi-factor authentication (MFA), users employ not only a password but also at least one additional factor, such as a software token on their smartphone. MFA has become essential in the private sphere as well. Using additional apps or SMS codes with everyday applications like online banking, social media apps, or email programs makes it more difficult for unauthorized third parties to access accounts.
S. Leino
In addition to "digital access control," there is also physical access control, which is familiar to everyone from their professional lives. Access cards and keys enable secure entry to rooms and buildings. Visitors are checked in and out via visitor logs, and guests are only permitted on the premises when accompanied. The combination of all these measures results in a "multi-layered" security approach.
One step ahead
An information security audit assesses not only the current state of security but also how well prepared one is for future threats. For this reason, auditors place particular emphasis on software updates and patch management. Cybercriminals are constantly searching for vulnerabilities in outdated systems, and an unpatched software flaw can represent the weakest link in an otherwise strong defense. According to experts, one of the most frequent "red flags" raised during audits is not a system vulnerability, but rather a lack of employee awareness. Social engineering attacks, phishing emails, and weak passwords remain among the most common causes of security breaches.
Regular phishing simulations and security awareness training enable employees to recognize threats early and respond effectively. SSI Schäfer has implemented a comprehensive online training program to strengthen cybersecurity awareness among its employees.
Not just "encrypt"
Data security is another key focus during audits. Auditors pay close attention to how data is classified, stored, and transmitted. Are backups managed securely? Is sensitive customer data protected from unauthorized access? Is the data encrypted? ISO/IEC 27001 emphasizes a holistic approach to data security, from encryption protocols to the secure storage and disposal of sensitive information. A comprehensive data protection strategy must ensure that even in the event of a security breach, critical information remains protected.
