BSI audit standards exceeded, aiming for ISO 27001 

Every company that is part of the CNI is legally obligated to submit to a BSI audit every two years. A certified auditor verifies whether the company fulfils the BSI's legal requirements. "We take the issue of information security very seriously and are aware of our responsibility. This is not only required by law. Our clients also rightly expect us to provide a comprehensive strategy to protect our shared information systems as part of our services – and they get it," said Nicolas Abel, Chief Information Security Officer at Deutsche Windtechnik. "For this reason, we only see the BSI audit as proof that we fulfil the minimum requirements. The real measure of our CNI strategy is whether we fulfil the requirements of ISO 27001."

This is because ISO 27001 is the internationally recognised standard for information security management systems (ISMS). It aims to protect the confidentiality, integrity and availability of information. Accordingly, it specifies the requirements for the implementation of an ISMS and defines its operation, monitoring, maintenance and improvement. The measures include risk management, security guidelines, access controls, emergency plans and continuous monitoring to identify, assess and minimise information security risks. 

Dedicated networks for critical infrastructures 

The security of the control centres is the focal point of Deutsche Windtechnik's protective measures. According to CNI regulations, these facilities are considered to be particularly critical and worth protecting. If they were affected by a cyber attack, this could have far-reaching consequences: for the operation of the turbines we manage, for our clients and even for the power supply to parts of the population.

"We make sure that nobody can access or change our data streams without authorisation," Nicolas Abel emphasised. "To this end, we have moved our critical infrastructure to a dedicated, independent power plant network. This measure goes well beyond the legal requirements. It's actually quite rare in the wind industry." 

Information security involves the workforce 

A key aspect of information security is making information secure regardless of the storage medium. This is because information security goes beyond IT security. We look at how information is classified, encrypted, transmitted and later destroyed, both digital and analogue. "We are aware and prepared for the fact that third parties might try to access sensitive data in order to cause damage," Nicolas Abel said. "Information security starts with ourselves – with the people. For example, we organise regular training courses to raise our employees' awareness. This puts them in a better position to identify and report phishing attempts."

Security creates trust 

We operate in a global market. This requires thinking beyond German borders, also when it comes to information security. By following the internationally recognised ISO 27001, we set the highest standards, which our global clients also trust. By consistently focusing on ISO 27001, we send a clear signal: We are aware of our social responsibility. For us, security is not just a legal obligation but a central pillar of our corporate strategy. 

This proactive approach to information security emphasises our commitment to the highest security standards and creates trust among all those who use our services. Our standards strengthen the shared digital infrastructure as well as our confidence in our own security strategy.