Skip Ribbon Commands
Skip to main content

COWI Upgrades its IT Security

​​By journalist Klavs Andersen


The consulting group COWI is upgrading to combat cybercrime through an ISO 27001 project. In this way, the group will strengthen its IT security and ​competitive power.​

Because security threats from cyber criminals have escalated considerably, COWI decided to thoroughly review its IT security structure with a view to obtaining ISO 27001 security certification. The decision was made at this time because COWI’s CISO (Chief Information Security Officer) of many years was reaching the age of retirement. In the initial phase of the project, NNIT carried out
a strategic security assessment.

“We realized that ISO 27001 certification would strengthen our entire IT security structure. To an increasing extent, some of our clients, particularly in the private sector, were making inquiries and demands about our IT security and information
policies,” CIO Claus Hagen Nielsen explains and adds: “Moreover, the threat picture is very different from and much more serious than what it was only two years ago, and an efficient safeguard against these security threats becomes increasingly complex.”​

External Partner Accelerates the Project​

COWI decided to include a third party to accelerate the certification project. And this third party was NNIT.

“I required an external partner to work on the inside of our firewall and assist in the analysis of our maturity in relation to IT security and clarify what was needed in order to carry through the ISO project,” Claus Hagen Nielsen explains.
NNIT already handles the operation of COWI’s high-risk IT systems and, therefore, has detailed knowledge of the company’s IT structure and business. Moreover, NNIT has extensive experience in the development of strategic IT security assessments for a number of companies. Claus Hagen  Nielsen points out that it was a natural choice to hire NNIT for the job instead of bringing yet another supplier into the picture:
“We have a close cooperative partnership with NNIT on a daily basis and found that they had all the necessary skills to carry through the project and handle the implementation.”​

Specific Recommendations

The ISO project is carried out as a “lean” project with a project group that only involved a few consultants from NNIT and a few employees from COWI’s IT organization. In connection with the project, NNIT has applied interviews with the employees to uncover the maturity of COWI’s IT security.
The job involved more than just performing a gap analysis. The job also involved consultancy services to COWI regarding the future security structure and the integration of security in the organization.

The project resulted in a report with a number of specific recommendations that have been followed to a wide extent in the further process, Claus Hagen Nielsen points out:

“NNIT advised us to intensify the governance of our IT security by establishing a management forum for information security. It is difficult to find CISOs and even harder to retain them. Instead, we have decided to place this responsibility with our BPM Board (Business Process Management) that reports directly to the management team. With the assistance of NNIT, we have hired an IT Security Officer and, by placing the strategic responsibility with the board and the tactical and operational responsibilities with the IT Security Officer, we ​ have integrated security in our organization and
avoided depending on individuals,” Claus Hagen Nielsen explains and adds:
“Moreover, we were advised to speed up the ISO project. However, this turned out to be difficult because the scale of the project was larger than we had anticipated. However, we are fully focused on the project and we take these recommendations very seriously. We expect to obtain ISO 27001 certification by the end of 2016.”

Parallel Projects

Based on the recommendations of the report, COWI has launched a long desired project on Identity and Access Management, which will be ready in the fall. In addition to this, a new IT policy and an accompanying manual have been prepared. Claus Hagen Nielsen also emphasizes a project that should improve the management of COWI’s internal processes regarding personal data and ensure that the group is able to meet the new personal data requirements from the EU. Finally, he points out that COWI will implement a Security Awareness program in relation to the business as
a part of the ISO project.

The Goals Have Been Reached – Even Beyond Expectations

COWI has achieved substantial results from the cooperation with NNIT:
“We have reached the goals that were set for the project. We have a clear picture of how we protect COWI against cybercriminal threats and we have identified our focus areas and planned the executioof the tasks,” Claus Hagen Nielsen says.
With ISO certification, COWI will also benefit commercially, according to Claus Hagen Nielsen:​
“It is not standard for companies in our line of business to be ISO certified in IT security and, therefore, we will also benefit from the project from a competitive point of view. Our project deliverables are ISO certified, but it is also natural to perform quality assurance of the IT systems, ​ as all client cooperation is stored as data today and this makes the IT systems the internal backbone of our deliverables,” he points out and adds:

“When we get inquiries from clients regarding our 
IT security, we will now be able to give them a clear answer. To us, it is a question of delivering the best possible quality within all our business areas - including IT.”​





Torsten Bielefeldt Schlägelberger+45 3075 5117tbsh@nnit.comVice President Bielefeldt Schlägelberger



Application Security Security
Cyber Defense Center Defense Center
Identity & Access Management & Access Management
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
Breach Preparedness Preparednes.aspxBreach Preparedness
Control Your Security & Privacy in the Cloud Your Security & Privacy in the Cloud
NNIT Security Insights Security Insights
Identity and Access Management Consultancy and Access Management Consultancy
Risky Business? Business?