Cyber security

The ams OSRAM Group Management Board has defined a global Information Security strategy that is aligned with the company’s risk management and business strategy. The Information Security Management System (ISMS) is setup using ISO27001 norm. 

As part of the overall Information Security strategy, the ams OSRAM Group has established a global Information Security organization that is coordinated by a Corporate Information Security Officer (CISO). The CISO reports directly to the Group’s Chief Information Officer with at least quarterly reporting to the Management Board members in “IT Board”; defined as the company’s “Information Security Committee”. Responsibility for cyber and information security within the management board is with the Chief Financial Officer (CFO) and with the Technology Committee within the supervisory board.  Additionally identified cyber security risks are managed as part of our Enterprise Risk Management and as such supervised by the audit committee.

The ams OSRAM Group Management Board has issued Information Security and Data Protection guidelines which apply throughout the whole Group. The CISO directs and supervises the implementation of the information and cyber security management system (ISMS) globally. Mandatory information security and data protection trainings are designed to ensure that employees are familiar with relevant security policies and procedures. Global awareness tests are performed periodically.

Our ISMS includes all relevant elements such as governance, risk management, information and system management, thread and incident management and business continuity management. Threat and Incident Management is part of the ams OSRAM global Incident and Crisis Management. In addition, an emergency response service provider is contracted in the event of a serious cyberattack. 

Our ISMS is externally validated. The ISO 27001 certification covers the global ISMS process of ams OSRAM. ams OSRAM’s ISMS is continuously improved and its effectiveness monitored by means of internal audits. Besides the annual external re-certification as part of ISO27001 and TISAX certifications, corporate audit triggers annually at least one external verification audit of Information Security-related processes and procedures, e.g., table top exercises or simulated hacker attacks. At the same time, all automotive production sites globally are verified at least with TISAX Level 2 and at least one with Level 3.

In the area of data protection, a comprehensive data protection management system has been implemented and globally applicable corporate guidelines ensure company-wide standards for handling personal data. Further refinement of data protection is promoted by actions that include training for all employees and implementation of uniform technical and organizational measures, particularly when data are being processed by external service providers. 
> Data privacy policy

Further links:

  • Certificates:
     > TISAX
     > ISO27001 - Premstaetten
     > ISO27001 - Munich
     > ISO27001 - Regensburg