Particularly in high-growth industries with increasing internationalisation, such as the pharmaceutical industry, corporations today face the challenge of setting up their information security governance in such a way that it meets the associated risks and challenges. PHOENIX Pharmahandel GmbH & Co KG ("PHOENIX") recognised these risks at an early stage. In January 2021, PHOENIX therefore launched a project with the support of usd AG to establish a group-wide information security governance and a centrally controlled information security management system (ISMS). A special focus was placed on the integration of the ISMS with the data protection and data security system.
"The information security governance created by usd AG perfectly suits the strategy of the PHOENIX group by allowing decisions to be made as locally as possible. True to our motto »Think together global - act local!«."
Dr. Roland Schütz, Member of the Board IT & Digital of PHOENIX group
Paving the way for information security, establishing governance structures
The newly created governance has already been successfully established at group level so that the decentralised implementation projects can now be carried out in all countries. In the PHOENIX subgroup Germany, usd AG is supporting the implementation very intensively through targeted communication and training measures.
"Establishing a functioning policy governance throughout Europe: This was the basis for our efforts to successfully advance information security in the PHOENIX group. It was particularly important for us to involve the management from the very first step - and at the same time it was a challenge. Of course, this meant taking into account the concerns of the various countries, the different levels of maturity in the various companies, as well as cultural and other local aspects in the heterogeneous PHOENIX group."
Andrea Rupprich, Managing Consultant at usd AG
Integrated approach: information security and data protection
A decisive success factor and the key to the establishment and operation of the group-wide ISMS was to create a central governance body. For this purpose, PHOENIX established the Competence Centre for Information Security and Data Protection with the support of usd AG. Under the leadership of the Chief Information Security Officer and the Head of Corporate Data Protection of the PHOENIX group, the Competence Centre operates at group level and is responsible for the governance process there. As an »Enabler«, the Competence Centre promotes the exchange within the information security and data protection community, joins forces and thus creates synergy effects.
Establish, operate and actively live a tailored ISMS
"The smooth cooperation with usd AG quickly produces very good results. Above all, the implemented governance approach contributes to the success of the project. The countries also report back positive feedback."
Daniel Hofmann, CISO at PHOENIX group
In order to establish a new ISMS that is perfectly tailored to the needs of the PHOENIX group, new policies, policy templates and support kits for the implementation of all information security and data protection measures within the meaning of Art. 32 GDPR were first created. Together, all these components form a group-wide »Security Baseline« that enables the respective PHOENIX countries and companies to be certified according to ISO/IEC 27001:2013. The policy templates can be adapted at country level to local conditions and local regulations.
Manageable erasure concepts for the protection of personal data
Alongside the activities relating to the ISMS, the project team also took on the challenge of establishing erasure concepts in a structured and practical form within the group - an important building block for complying with the requirements of the General Data Protection Regulation (GDPR). This is because companies must delete personal data when the purpose of data processing no longer applies. This is known as the purpose limitation principle.
Although the procedure used in the project was based on DIN standard 66398, a special focus was placed on the simple handling and structured nature of the concepts. To ensure the applicability of the erasure concepts, the entire process was successfully piloted in the PHOENIX subgroup Germany.
Communication and training as a success factor
In addition to the development and provision of all necessary documents, the accompanying communication is another success factor in the project. The local contacts for information security and other relevant stakeholders at group level are offered various workshops on information security topics. The focus here is on creating an understanding of the individual topics, highlighting the benefits of the support kit and potential synergy effects, and promoting exchange - for example on specific implementation issues - to achieve the best possible local implementation of the requirements.
Reaching stakeholders through offers tailored to the target group
Parallel to the activities at the group level, usd AG also supported and significantly advanced the implementation of the ISMS in the PHOENIX subgroup Germany. For example, the project team provided support in the context of coordination with relevant interest groups in the German subgroup as well as in the adaptation of documents to specific conditions applicable in Germany. The approval process for new guidelines was also supported, for example by preparing management presentations. After approval by top management, the guidelines were communicated as part of the project and appropriate training sessions were held with all relevant stakeholders. Selected guidelines and topics are continuously communicated, for example, in consultation hours or by providing FAQs. This creates a clear point of contact for unresolved questions, while at the same time channeling the efforts associated with the questions and thus keeping them to a minimum. Ultimately, all stakeholders can benefit from the question-and-answer formats, as the business units often deal with similar questions.
"We are aware that an ISMS must be actively practiced throughout the entire organisation and that the necessary security awareness must prevail in the business units in order to be effective. For this reason, we invest a great deal of effort into communication and awareness measures on information security topics."
Niklas Bessler, Senior Consultant at usd AG
About the PHOENIX group
The PHOENIX group, headquartered in Mannheim, is the European leader in pharmaceutical wholesale, pharmacy retail, and services for the pharmaceutical industry. With a presence in 29 healthcare markets, the company offers unique geographical coverage throughout Europe, making a vital contribution to comprehensive healthcare with more than 45,000 employees.
The PHOENIX group is active in the pharmaceutical wholesale and pre-wholesale business areas with 224 sites in 29 countries supplying pharmacies, doctors, and medical institutions with medicines and health products. Numerous other products and services for pharmacy customers complete the portfolio – from assistance in advising patients to modern goods management systems to pharmacy cooperation programmes. More than 17,000 pharmacies in 18 countries are members of one of the PHOENIX group’s partnership and cooperation programmes. The company provides services to the pharmaceutical industry along the entire supply chain. The PHOENIX group also operates over 3,200 of its own pharmacies in 17 European countries, in which more than 195 million patients per year receive expert advice from pharmacists in addition to their medicines.
Further information about the PHOENIX group | www.phoenixgroup.eu
