ISMS Policy

1 Starting position and scope

Büchi Labortechnik AG certifies itself according to the ISO standard 27001:2013 and is committed to meeting these requirements. The scope of the certification includes the Flawil site, all employees in Flawil and the central IT/HR services operated from Flawil.

2 Information security goals

Büchi Labortechnik AG has set itself the following goals:

  • Appropriate protection of information in terms of availability, confidentiality, and integrity.
  • Compliance with legal, contractual and internal requirements in the area of information security.
  • Use ISO 27001 as an everyday tool for quality assurance and constant development of the company.

3 The ISMS of Büchi Labortechnik AG

The information security management system of Büchi Labortechnik AG documents all procedures and rules which serve to ensure the information security of Büchi Labortechnik AG towards its stakeholders. The ISMS is continuously communicated and trained at the appropriate level. The application of these rules is mandatory and binding.

4 Continuous improvement

The ISMS of Büchi Labortechnik AG is continuously reviewed and adapted to the current conditions. In the sense of continuous improvement, the competencies of all departments involved are constantly being further developed.

5 Organization and responsibilities

5.1 Executive Board

The executive board is the highest operational decision-making body of the company and delegates tasks, responsibilities and competencies in information security to the CISO.

5.2 Internal employees / General

All employees of Büchi Labortechnik AG who perform activities within the scope of the ISMS are responsible for information security in their specialist area. Superiors at all hierarchical levels are obliged to provide the necessary resources and skills. They are required to sustainably implement all necessary security measures within the scope of their area of responsibility. They shall instruct their employees and train them as required.

5.3 CISO

The CISO is responsible for the development and definition, monitoring, control & operation and continuous improvement of the ISMS. He reports to the executive board.

5.4 Asset Owner

Asset owners establish, document and apply rules for the acceptable use of information and values allocated to them.

5.5 Risk Owner

Risk Owners lead the information security risk assessment and treatment process for their assigned risks. They analyze and assess the risks and define appropriate measures.

5.6 Head of ICT

The Head of ICT is responsible for the strategy, operation, maintenance, optimization and modernization of ICT systems and business applications.

5.7 Head of Quality Management

The Head of Quality Management is responsible for monitoring, maintaining and optimizing quality standards and corporate processes.

5.8 Supplier Manager

The Supplier Manager is responsible for supplier management and supplier selection, delivery performance, delivery quality and development.

5.9 Head of Facility Management

The Head of Facility Management is responsible for the upkeep and maintenance of the buildings and infrastructure. This includes cleaning and physical access.

5.10 IT Enterprise Architect

The IT Enterprise Architect, together with the ICT- and the business-departments, define and develop the application landscape of the entire organization and regularly check its up-to-dateness and its further development, also for each new project that may have an impact on the application portfolio.

5.11 Service Desk Manager

The service desk manager determines the priorities in the service desk and controls all internal and external resources for a solution-oriented service desk.

5.12 External employees / employees of third parties

The regulations of Büchi Labortechnik AG in the context of information security also apply accordingly to persons who perform activities as external parties or employees of third parties within the scope of the ISMS and must be complied with by them.

6 Controls

Büchi Labortechnik AG checks information security in planned and regular intervals with internal and external audits. The results of these checks are incorporated into the continuous improvement process.

7 Sanctions

Büchi Labortechnik AG agrees with third parties on contractual penalties which can be claimed in the event of repeated or individual serious violations of the safety regulations and instructions. In such cases, the sanctions under labor law apply to internal employees.

8 Definitions of terms

8.1 Information Security

Information security refers to all measures that are ordered, implemented, checked and continuously improved to maintain the confidentiality, integrity and availability of information. These measures can be of an organizational, technical or structural nature, among others.

  • Confidentiality: ensuring access to information only for those authorized to access it.
  • Integrity: ensuring the integrity and completeness of information and its processing methods.
  • Availability: ensuring on-demand access to information and its associated assets for authorized users.
8.2 Information Security Management System (ISMS)

An ISMS is understood to mean:

  • All rules, procedures and processes within the scope of application that define, control, implement, verify, maintain and continuously improve information security.
  • Documentation is carried out using the ISMS framework, the controls of the SOA (declaration of applicability) and with corresponding policies, process overviews and other verification documents.
8.3 CISO (Chief Information Security Officer)

The CISO is responsible for information security within his/her assigned scope.