We are a consulting company specialising in SAP services, IT outsourcing and software development. We support our clients' businesses. That is the reason for our motto to be: IT makes business better

We are part of SNP Group, world leader in transformation of SAP environments

Since 1995 we have successfully accomplished hundreds of IT project in many countries worldwide.

Our experts present the most interesting solutions of IT world.

See the webinar archive, register for upcoming webinars.

Dlaczego uważamy, że SNP jest dobrym pracodawcą? Bo łączymy cechy rzadko spotykane w jednej organizacji - duże możliwości rozwoju, a zarazem dobrą atmosferę i elastyczność środowiska pracy. Dowiedz się więcej, na czym to polega w praktyce!

Maflow: Implementation of the ISO 27001 standard

Compliant with VDA, without additional audits

Share
The implementation and certification of the information security management system compliant with ISO/IEC 27001 is an opportunity to put processes and procedures in order, to create effective protection against the loss of information, and to build awareness among employees. For the automotive industry, the compliance of this standard for the protection of prototypes and customer data with the VDA standard, which is recognized by such car manufacturers as e.g. VW and Audi, is also tempting.

Prototypes, drawings of customers, price lists of components, restrictive provisions in contracts with counterparties, access to customers’ portals, a five-level classification of information, computers supporting production machines, control of access to the premises of a plant, a manufacturing network, mobile devices, entrusting data to suppliers/subcontractors, the company’s image, awareness among production employees, designing, prototyping, monitoring, a laboratory, a business continuity, know-how, technical documentation, competition… Maflow faced these challenges during the project of implementation of the information security management system (ISMS) compliant with ISO/IEC 27001.

Maflow, one of the leading manufacturers of hoses for air conditioning systems, power steering systems and active suspension systems for the automotive industry, has been a regular supplier for major automobile companies for many years. The company has nine plants located in seven countries on three continents.

Why ISO 27001 in the automotive industry?

VDA – this abbreviation is well known to all suppliers of the Volkswagen Group, BMW, Ford, Mercedes, and other car brands. Verband der Automobilindustrie (VDA) – German Automotive Industry Association is an organization with more than a hundred years of history and a very good reputation, bringing together more than 500 companies employing a total of over 700 thousand employees. VDA focuses its activities on the standardization, development and research in the automotive industry. Members of the association are not only the companies having their plants in Germany and producing the final product, but first of all, all manufacturers/suppliers of parts and components for the automotive industry.

The suppliers that want to cooperate with the biggest car manufacturers are obliged to meet the requirements of VDA. One of them is the protection of prototypes and Customers’ data. This protection is comprehensively provided by ISO 27001 (see www.vda.de/en/downloads/693/, Prototype Protection – The framework requirements for product security were drawn up on behalf of the VDA Working Group “Integral Information Protection with IT Security, Prototype Protection and Risk Management”. These requirements are intended to act as a basis for product protection in the German automotive industry and to complement the requirements set down in ISO 27001).

The ISO 27001 Standard has one more huge advantage – especially important for companies that like Maflow, cooperate with Volkswagen or Audi. These manufacturers consider a valid ISO 27001 certification as a proof that the supplier properly protects the information entrusted to it. And this, in turn, exempts the supplier’s company from a costly audit carried out by WV and Audi.

A sample fragment of the VDA questionnaire: Information Security Assessment based on sections of the ISO 27001 standard

In symbiosis with other systems

In Maflow, the implemented standard covered the Polish branch of the company: a plant in Tychy and two plants in Chełmek. The work started in November 2013 and ended in July 2014.

The ISO 27001 implementation project began with defining its objectives and identifying the processes, which were then covered with the information security management system (ISMS). In addition, it was necessary to take into account the integration of ISMS with other management systems in the company, including ISO/TS 16949.

The ISO/TS 16949 standard – requirements regarding the quality system for the products in the field of designing or development, production, installation and maintenance in the automotive industry – it also imposes information security obligations on the supplier. Sample sections of this standard are as follows:

  • 4.2.3.1 Technical documentation;
  • 4.2.4.1 Record keeping – The supervision over records should comply with the laws and regulations as well as customer requirements;
  • 7.1.3 Confidentiality – The organization should ensure the confidentiality regarding the products ordered by the customer and projects developed to the customer’s order, as well as related product information;
  • 7.3.6.2 A prototype program – If the services can be performed outside, the organization should be responsible for them, including for the technical management;
  • 7.5.4 Customer’s property – It may include intellectual property and personal data.

Bartłomiej Irczyk, IT Director, Maflow Group

Our security and the security of our customers
In Maflow, we treat the ISO 27001 certification as an investment in our security and the security of our customers. The operation of the company in accordance with this standard allows us to “sleep well” and to focus on the most important aspects of the business. Customers appreciate our commitment to security, which results in increasingly better cooperation in all fields and at all levels.
The Information Security Management System has allowed us to systematize and standardize many areas of the company’s operation. For Maflow, ISO 27001 means not only the procedures and technical safeguards. From our point of view, it was vital to build among  Maflow employees the belief that the information security has an important role. I am glad that now this awareness is shared throughout the organization, because the system does not concern IT only. We often forget that IT is an important, but not the only area in which the care for the information security is of great importance.
I appreciate the commitment and professionalism of the team of BCC. In the future, we will continue to benefit from their support. Now we focus on maintaining the certificate and making the standard “well-established” in our units, however further development of the system is the next step, which is for us an obvious consequence of the first one.
Bartłomiej Irczyk, IT Director, Maflow Group

Phase by phase

Following the establishment of a project team and an information security management forum (ISMF), the scopes of their duties were determined. The project schedule is divided into four phases.

In the first phase, the following products were prepared:

  • a pre-audit report,
  • system procedures,
  • an information security policy,
  • the scope of ISO/IEC 27001 ISMS,
  • an ordinance establishing the ISMS forum,
  • an ordinance appointing a representative of ISMS,
  • a training plan.

The deliverables of the second project phase are:

  • a procedure of classification of information and assets,
  • templates of identification of information and assets,
  • a risk management procedure,
  • a risk matrix,
  • a risk treatment plan.

The third phase included the testing of processes through audits, corrective and repair actions in individual Maflow units covered by the implementation, as well as the presentation and training of all members of the organization in ISMS (training in the use of the implemented system). The deliverables of the third project phase are:

  • a declaration of applicability,
  • operational procedures, policies and instructions for individual domains:
    • A.5 Security policy,
    • A.6 Security organization,
    • A.7 Asset management,
    • A.8 Security of human resources,
    • A.9 Physical and environmental security,
    • A.10 Management of communication and operations,
    • A.11 Access control,
    • A.12 Acquisition of information systems, their development and maintenance,
    • A.13 Incident management,
    • A.14 Business continuity management,
    • A.15 Compliance with law.

In the fourth, last phase of the project, the following documents were prepared:

  • a plan of internal ISO/IEC 27001 audits,
  • a report on internal ISO/IEC 27001 audits,
  • certificates of an internal ISO/IEC 27001 auditor,
  • training plans and evaluations,
  • an ISO/IEC 27001 review report.

The culmination of the project was the certification audit, which took place on July 22-25, 2014. The audit was conducted by the certification body TUV Nord Poland. The ISO 27001 certification proves to the customers of Maflow that the company applies a strict information security policy, and the care for the sensitive data entrusted to the company is a priority.

Maflow is one of the leading manufacturers of hoses for air conditioning systems, brake systems, power steering systems and active suspension systems for the automotive industry. Its products are delivered to the world’s largest automobile companies, including: the Volkswagen Group, Renault Nissan, Jaguar Land Rover, PSA Peugeot Citroën, Volvo, BMW, Fiat-Chrysler and truck manufacturers, i.e. Volvo Truck, Renault Truck, Scania, DAF Trucks. Since 2010, the owner of Maflow companies in Poland, France, Spain and Italy, and plants in Brazil, China and India has been the Boryszew Group.
Share

Contact form





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

Please write an email or call

E-mail office.pl@snpgroup.com
Phone +48 61 827 7000

SNP Poland Sp. z o.o.

Headquarter:
Złotniki, ul. Krzemowa 1
62-002 Suchy Las near Poznań, Poland

How can we help?
Write us
Send email
Call us





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

General contact for the company
office.pl@snpgroup.com

Question about products and services
info.pl@snpgroup.com

Question about work and internships
kariera@snpgroup.com

+48 61 827 70 00

The office is open
Monday to Friday
from 8am to 5pm