Grundfos achieves success with ISO 27001 implementation

kaastrup|andersen’s experienced project manager and ISO 27001 specialist drive the project with an approach that focuses just as much on people and business processes as on technology. They know that achieving success requires more than simply selecting the right systems. It necessitates changes in Grundfos’ way of working, the defined roles and responsibilities, and, not least, changes in people’s behaviour.

A tailored project methodology:
Overall, the project manager from kaastrup|andersen uses PRINCE2 as the project framework. However, the project plan is largely built around the requirements of the ISO 27001 standard, taking into account the organisation’s level of information security, available resources, and, not least, the ambition level.

The goal of achieving certification by the end of 2024 requires a flexible plan, but strict control. Planning is a complex process that requires a deep understanding of Grundfos’ organisation, stakeholders, and business processes.

With a clear project plan, comprehensive stakeholder management, and continuous project risk management, the project manager from kaastrup|andersen, in collaboration with Grundfos, ensures that the solutions both meet the ISO 27001 standard and create real business value.

"It is absolutely crucial to the success of the project that we maintain a strong focus on people and change management to ensure that all employees understand the purpose of the ISO 27001 certification. The goal is to foster a culture where information security becomes a natural part of daily operations. Implementing ISO 27001 changes the way the organisation works, making it essential to ensure that all employees comprehend the purpose, rationale, and significance of these changes."

Peter Budolfsen
Senior Project Manager, kaastrup|andersen a/s

The preparatory work involves:

• Establishing an overview of the organisational context, including a stakeholder analysis and clarification of roles and responsibilities
• Forming a steering committee and developing a business case and project scope
• Conducting a GAP analysis
• Assembling a project team

The plan in brief:

• Establishing a risk management process and identifying information assets (assets)
• Conducting risk assessments and adjusting information security policies based on all 93 controls in the ISO 27001 standard
• Gradual implementation of policy requirements into business processes, ensuring flexibility in the plan and distributing the workload among key personnel over time
• Ongoing internal audits to evaluate the implementation effort and ensure proper prioritisation

"Establishing a project team and a steering committee in a complex organisation with distributed responsibilities is a challenging task. Roles and responsibilities often overlap across organisational units and management levels, resulting in an extensive stakeholder landscape and a correspondingly large steering committee with diverse interests."

Peter Budolfsen
Senior Project Manager, kaastrup|andersen

Multiple iterations

A task of this nature requires constant change readiness from the project manager and the organisation’s stakeholders, as well as revisiting previous assumptions and making adjustments accordingly.

This creates a need for:

• Continuous training and education for employees and managers
• Ongoing adjustments to governance, roles, and responsibilities both horisontally and vertically
• Continual adaptation of business processes and procedures

"We challenge Grundfos’ existing processes when necessary and provide honest and bold advice. Our goal is to deliver the best possible solutions that are both practical and value-creating."

Thomas Hæstrup
Senior Consultant, Specialist in the ISO 27001 standard, kaastrup|andersen a/s