Information Security Policy

Information and the continuous availability of products and services are of decisive importance for the business activities of CompuGroup Medical SE & Co. KGaA (CGM) and play an essential role. CGM is crucially dependent on the continuous trust of customers and partners. This trust has arisen thanks to the years of efforts of all CGM employees. This competitive advantage must be protected, as its loss could have serious consequences for CGM and severely damage the company's reputation. Therefore, the protection of information and ensuring continuous business operations is of great importance.

For these reasons, CGM's Board of Directors has decided to introduce, maintain and improve a group-wide Information Security Management System (ISMS) and a group-wide Business Continuity Management System (BCMS). The ISMS and the BCMS are aligned with the international standards ISO/IEC 27001 and ISO/IEC 22301 respectively. Both have interfaces with each other and with other disciplines, e.g. Enterprise Risk Management, Data Protection or Quality Management.

The fulfillment of contractual agreements with customers and service providers, compliance with legal regulations and the associated activities are the focus of CGM's daily work.

The aim of the ISMS is to ensure that any type of information, whether stored or transmitted electronically, printed on paper, written or transmitted in a conversation, is always adequately protected and stored. The fundamental values and protection objectives of information security confidentiality, integrity and availability are in focus.

The overarching objective of the BCMS is to ensure the continuity of CGM's time-critical business processes and the availability of resources (buildings and infrastructure, IT, personnel, service providers) even in the event of an emergency or crisis situation.

Information security and business continuity are not a one-off project but require a targeted and continuously improving management system that adapts to the constantly changing framework conditions of CGM. The core of these combined management systems is therefore the PDCA cycle.

With the PDCA cycle, CGM is able to create foundations and initiate the management systems in a structured manner (PLAN), to implement and operate them in accordance with standards (DO), to continuously monitor and verify them (CHECK) and to maintain and continuously improve them in a targeted manner (ACT).

The underlying premise of the Three Lines of Defense model is that under the supervision and direction of the CISO, three separate groups within the organization are required for effective management of ISM and BCM risks. This clearly defines the roles and responsibilities of stakeholders involved in the ISMS and BCMS processes.

1. 1st Line of Defense – "Risk ownership"

The first line of defense is formed by the Information Security Coordinators of the Business Units and Service Units. These implement the specifications and methodology from the 2nd Line of Defense in their area of responsibility. The 1st Line of Defense is responsible for the operational identification, assessment, management and treatment of risks.

1. 2nd Line of Defense – "Risk control"

The second line of defense is Group Information Security under the direction of the CISO. This team defines specifications and ensures the use of the same methodologies and procedures for the treatment of risks by the 1st Line of Defense and controls the correct implementation or application.

1. 3rd Line of Defense – „Risk coverage“

The third line of defense is internal audit. Internal audit independently monitors the specifications and control mechanisms in the second line of defense as well as the implementation and effectiveness of the measures in the first line of defense. For first line of defense audits a joint audit approach in cooperation with Group Information Security is defined.