Information Security

The ideas and expertise of our employees form the foundation of our success. The availability of our facilities, equipment and systems, as well as our accessibility, reflects our reliability towards customers and business partners and makes a significant contribution to the good reputation of BCT Technology AG.
To protect these values, our company establishes a global and appropriate level of protection for the confidentiality, integrity (accuracy) and availability of our processes, information and systems.

The declared corporate objective of effectively protecting key business processes together with the associated information assets and IT systems is achieved through the establishment of globally valid security standards and the integration of information security into internal processes. The defined information security objectives contribute directly to the achievement of the company’s overall objectives.

A constant awareness of information security in all day-to-day activities is expected from every employee. Every manager is obliged to ensure and monitor compliance with information security requirements by their employees. Any employee who identifies weaknesses in information security is required to report them to their manager or to the Information Security Officer.

Care and Accuracy in Handling Information

Need-to-Know Principle

Information may only be disclosed to persons and organizational units that require it to perform their tasks. All involved parties must be aware of the level of confidentiality of the information and for whom it is intended. This also applies to authorizations in IT systems and access rights.

Proper Handling of Documents and Data Carriers

The handling of documents and data carriers containing confidential information is a key aspect of information protection. Limiting the printing of sensitive information, securely storing documents and storage media in locked areas, and ensuring proper disposal are the responsibility of every employee.

Technical Security

The level of security can be significantly strengthened through technical measures. Targeted investments in security safeguards, as well as secure design of our IT systems and buildings, are therefore an integral part of our security strategy. Particular emphasis is placed on protecting our most critical and sensitive assets.

Personal Responsibility

Every employee is responsible for reporting weaknesses, suspicious situations and incidents. Knowledge of and compliance with defined requirements is considered a prerequisite and is expected of every employee.

To ensure the implementation of information security requirements, the company operates an Information Security Management System (ISMS) based on the international standard ISO/IEC 27001. In addition, legal and contractual requirements are taken into account.

The ISMS follows the continuous improvement process recommended by the standard, based on the PDCA model (Plan, Do, Check, Act). The objective is to demonstrably and regularly ensure the adequacy, completeness, sustainability, effectiveness and efficiency of the implemented information security processes and protective measures.

PLAN – Establishing the ISMS:
The strategies, objectives, processes, policies, procedures, methods, tools and responsibilities of the ISMS are defined.

DO – Implementing and Operating the ISMS:
The defined processes, policies and procedures are implemented in accordance with the ISMS objectives. Selected measures are put into operation.

CHECK – Monitoring and Reviewing the ISMS:
Based on practical experience, audit results and management reviews, the processes, effectiveness and efficiency of the selected approaches and measures are measured and evaluated. The need for action and potential areas for improvement are identified.

ACT – Maintaining and Improving the ISMS:
Based on the results of the Check phase and other feedback (e.g. current risk situation, threat landscape, developments and requirements), corrective and preventive actions are implemented to achieve continuous improvement of the ISMS and the overall security level. The handling of security incidents is also part of this phase.

Executive management is responsible for information security within the company and commits to providing the necessary human, organizational and financial resources to establish, maintain and continuously improve an appropriate level of information security. As part of their management duties and role-model function, all managers bear particular responsibility for promoting information security and IT security awareness among their employees.

This policy is supplemented by additional policies consisting of detailed organizational and security rules for selected areas, as well as country-specific and site-specific legal and organizational requirements. Unless otherwise stated, these policies have the same scope of application as this policy and become effective upon publication. The scope of the underlying Information Security Management System is centrally defined and documented in the applicable ISMS scope document.