Information Security & Data Protection

Telecommunication services are becoming increasingly complex and therefore depend heavily on highly developed technical infrastructure. Software and hardware faults, human error, viruses, and hacker attacks can impair the quality of service or, in the worst-case scenario, lead to system failures. The ISO 27001 certification of the Information Security Management System (ISMS) used at Sunrise, together with the company’s business continuity management (BCM) plan, ensures that Sunrise services are of the highest standard and thus meet the needs of Sunrise customers.

The ISO 27001 Certification  has been confirmed by an external auditor and guarantees the highest quality standards within the company. This concerns the personnel-related and operational processes at all locations, the handling of customer data and customer messages, as well as the technical infrastructure and the services for processing, storing, and transmitting customer data and customer messages. The certification includes data from both private and business customers.

An actively maintained information security management system (ISMS) is one of the key requirements for managing information security effectively and efficiently. Our ISMS defines rules and methods to guarantee information security. The ISMS is process-oriented and follows a top-down approach beginning with corporate management, i.e. from the Audit Committee on behalf of the Board of Directors, via the Management Board and the ISMS Steering Board, led by the Information Security Officer, and ultimately to the employees. In particular, the system maturity is evaluated using a regularly updated risk assessment. The Board of Directors' Audit Committee is updated on the status of the ISMS each quarter. The Internal Audit team regularly audits various areas to monitor compliance with the requirements. The ISMS Steering Board, including representatives from all business areas, meets at regular intervals and several times a year.

Sunrise has developed security requirements for the implementation of appropriate measures, which are referred to as “policies,” “procedures,” and “guidelines.” Our information security policies also take into account data protection requirements. There is a lot of overlap between information security and data protection, and, where data protection requirements are not taken into account, an explicit data protection policy regulates the other specific aspects based on principles such as transparency, limitation of purpose, data minimization, correctness, integrity, confidentiality, and responsibility. Sunrise provides transparent information about the handling of personal data it receives (Data Privacy Statement ). Compliance with information security and data protection requirements, especially the handling of sensitive data, which in data protection terms includes personal data, is a constantly evolving matter. We therefore ensure continuous improvement with the help of a four-phase process (Deming cycle: Plan, Do, Check, Act).

In order that all employees can be kept up to date, Sunrise conducts a mandatory annual awareness e-Learning session. This covers both information security and data protection. Additional awareness campaigns are carried out on a regular basis as required and depending on business role. Employees are also asked to actively assist by reporting security and data protection incidents; appropriate opportunities are available. If they wish to do this anonymously, they can via the whistleblowing portal. In terms of handling incidents, Sunrise has established a so-called incident process as part of its ISMS policies. Incidents classified as data breaches under data protection regulations are integrated accordingly. In the life cycle of the data within the company, the main topics are access to data (especially identification and authentication), lifespan of the data, (especially pseudonymization, data backup, data destruction), data transmission (especially secure transmission, encryption) and the right of access (especially the right to information, data correction). These topics form part of current Sunrise policies, so it can be ensured that sensitive data is tracked until it is deleted.

In view of growing challenges in the area of cyber security, Sunrise has centralized its security planning in a single Security Operation Center (SOC) in order to protect corporate and customer data even more effectively, efficiently, and with the necessary strategic priority.

In today's interconnected world, cyber security is always an important issue. Cyber risks can never be completely eliminated. Violations of security and data protection requirements cannot be ruled out either. This can lead to damage and loss of reputation, which is why Sunrise has also taken out a suitable cyber insurance policy.