This fragment is based on an interview conducted by Angela Fessl and Katharina Stefan (Know Center) with a compliance manager (CM) of IONOS SE, on the topic of audit preparation processes at IONOS as part of the EMERALD User Interaction & User Experience requirements (WP4).
At IONOS, audit preparation for cybersecurity certifications like BSI C5 and ISO 27001 involves structured internal processes. The CM outlined IONOS’s detailed approach to audit preparation:
Initial Planning and Kick-Off
The audit preparation begins with an initial proactive kick-off meeting, planned months in advance. Timelines are set clearly, responsibilities defined, and standards such as BSI C5 are clearly explained. Participants typically include decentralized security managers serving as internal security contacts.
Decentralized Organization
Due to the extensive size of IONOS, security responsibilities are decentralized. The central InfoSec team oversees and facilitates activities across various business units. This ensures agility and focused attention to specific needs. The CM stressed the importance of clear communication and active stakeholder involvement.
Audit Preparation Tools
IONOS primarily utilizes a ticketing system to manage its internal control system for audits like BSI C5. This system records compliance evidence, links to relevant operational systems, and documentation pages.
Evidence Management and Compliance Oversight
The ticketing system at IONOS operates through multiple levels, starting with standard-based controls, internal customized controls, and detailed evidence tracking via sub-tickets. A dedicated compliance team manages this process, monitoring evidence submission and escalating issues as necessary.
Final Audit Submission and Documentation
For BSI C5 audits, IONOS creates comprehensive documentation, including a Control Matrix exported from the ticketing system and extensive textual descriptions of products, organizational structures, and compliance measures. These documents can be lengthy and require careful attention. After that, everything is set for the final step: the external audit, which can be seen as “the icing on the cake” after such thorough preparation.
Challenges and Potential Improvements
The CM identified complexity and usability as significant challenges in their structured and pro-active approach to tackle complex cybersecurity certifications. The ticketing system’s multiple levels and linking can sometimes be challenging for employees outside the security team. Though challenges exist with current tools, IONOS is eager to explore how innovative solutions, for example EMERALD, seamlessly integrated with our existing systems, can further enhance usability and efficiency for all teams involved.
Potential Role of AI Technologies
The CM noted AI’s potential to automate routine checks and streamline document creation but expressed caution regarding accuracy. Errors in audit documentation pose significant risks, necessitating careful manual review.
Integration with EMERALD
Finally, the CM emphasized the importance of integrating EMERALD solutions with existing tools such as the ticketing system and the documentation tool. When asked if he thought EMERALD could really support an audit preparation process well, he stressed the need for:
“Interfaces – to the ticketing system and the documentation tool! Because otherwise it doesn’t bring us anything; otherwise, we simply have a parallel tool that we don’t use. And I see that as the crucial question because every company has its own special tooling, and we use a specific ticketing system and documentation tool here as well.”
He stated that EMERALD would need robust interfaces with current workflows to effectively support IONOS’s audit preparation.
Figure: Workflow Representation of the IONOS Audit Preparation Process
(Source: Deliverable 4.2 – Results of the UI-UX requirements analysis and the work processes)