Business assets and suppliers

Introduction

We manage suppliers, cloud services, business assets, and physical access to ensure security and continuity. This includes supplier selection and monitoring, secure use of cloud services with defined responsibilities, controlled asset management, and restricted physical access to offices and data centers.

Detailed explanation

Supplier management (selection, contracting, and monitoring)

Supplier selection follows defined criteria, including security and privacy requirements, and a structured, risk-based process with formal management approval for selection, continuation, or termination.

As part of supplier selection, a risk-based due diligence questionnaire is used where appropriate to assess suppliers consistently. This covers topics such as security policies, access management, incident handling, and audit capabilities.

All suppliers are subject to assessment and monitoring, with critical suppliers structurally reviewed based on their importance for availability and continuity (e.g. as identified in the BIA and supplier overview). Non-critical suppliers may be evaluated when needed.

Information security for cloud services

We use SaaS and PaaS services with clearly defined and contractually agreed responsibilities between cloud providers and us, ensuring that controls such as access management, incident handling, and backup management are properly assigned and managed without gaps or overlap.

Cloud environments are securely configured, logically segregated between customers and internal environments, and systems are hardened in line with business and security requirements. Administrators follow internal guidelines for secure management.

Monitoring includes real-time dashboards, periodic SLA reporting, and agreed notification procedures for incidents, maintenance, and security testing.

Upon termination, data and assets are returned or securely removed in accordance with contractual agreements.

Management of business assets

Business assets are registered, managed, and tracked throughout their lifecycle in a central system (CMDB), ensuring ownership, traceability, and control.

Assets such as laptops, mobile devices, and keys are issued and returned through controlled processes. At end-of-life, assets are securely erased or disposed of via controlled channels.

Loss or theft of assets is reported and handled as a security incident.

Physical access to buildings and data centers

Access to offices and data centers is restricted to authorized individuals, supported by access controls such as keys, badges, or mobile authentication.

Additional measures, including surveillance, alarms, and visitor procedures, ensure that access is controlled and monitored. Visitors are registered and accompanied when accessing office areas.

Data centers are hosted in secure, professionally managed facilities with restricted access and certified security measures.