The ams OSRAM Group Management Board has defined a global Information Security strategy that is aligned with the company’s risk management and business strategy. The Information Security Management System (ISMS) is setup using ISO27001 norm.
As part of the overall Information Security strategy, the ams OSRAM Group has established a global Information Security organization that is coordinated by a Corporate Information Security Officer (CISO). The CISO reports directly to the Group’s Chief Information Officer with at least quarterly reporting to the Management Board members in “IT Board”; defined as the company’s “Information Security Committee”. Responsibility for cyber and information security within the management board is with the Chief Financial Officer (CFO) and with the Technology Committee within the supervisory board. Additionally identified cyber security risks are managed as part of our Enterprise Risk Management and as such supervised by the audit committee.
The ams OSRAM Group Management Board has issued Information Security and Data Protection guidelines which apply throughout the whole Group. The CISO directs and supervises the implementation of the information and cyber security management system (ISMS) globally. Mandatory information security and data protection trainings are designed to ensure that employees are familiar with relevant security policies and procedures. Global awareness tests are performed periodically.
Our ISMS includes all relevant elements such as governance, risk management, information and system management, thread and incident management and business continuity management. Threat and Incident Management is part of the ams OSRAM global Incident and Crisis Management. In addition, an emergency response service provider is contracted in the event of a serious cyberattack.
ams OSRAM’s ISMS is continuously improved and its effectiveness monitored by means of internal audits. At the same time our ISMS is externally validated. All automotive production sites globally are verified at least with TISAX Level 2 and at least one with Level 3. This validates our global processes. ISO27001 certification is ongoing and should be finished within 2023.
In the area of data protection, a comprehensive data protection management system has been implemented and globally applicable corporate guidelines ensure company-wide standards for handling personal data. Further refinement of data protection is promoted by actions that include training for all employees and implementation of uniform technical and organizational measures, particularly when data are being processed by external service providers.