Andreas Karl - Lead Auditor, ICT

Heidenheim an der Brenz, Germany

Experience

Mar 2023 - Present

2 years 5 months

Switzerland

Lead Auditor, ICT

Swiss Safety Center

Conducting preliminary audits, certification audits and assessments for ISO/IEC 27001:2013 and ISO/IEC 27001:2022, including related substandards 27017, 27018 and 27701 as a data protection standard
Conducting preliminary audits, certification audits and assessments for ISO 9001 in the assigned EAC areas
Managing the SSC’s ICT standards as a product manager

Dec 2022 - Feb 2023

3 months

Switzerland

Chief Information Security Officer, CISO

localsearch / Swisscom Directories AG

Overall responsibility for information security across all company divisions and locations
Strategic development and operation of the information security management system, closely aligned with the current ISO27001 standards family
Creation and implementation of security policies, and ensuring compliance as a governance function in the company
Identifying and classifying risk areas and deriving the required security level and protection needs
Defining and integrating standardized processes for capturing and assessing risks into business processes, support functions and IT service management processes

Jan 2016 - Nov 2022

5 years 11 months

Oberkochen, Germany

Director Data Protection

Carl Zeiss AG

Group Data Protection Officer for Carl Zeiss AG and the ZEISS Group (around 200 global legal entities)
Direct reports: 11 FTE
Functional reports: approx. 160 privacy coordinators worldwide
Overall responsibility for the global data protection management system across all divisions and locations
Development and implementation of policies, and ensuring compliance as a governance function across the group
Development and rollout of a data protection audit system valid in both process and line dimensions
Identifying and classifying risk areas and deriving the required data protection level and protection needs
Defining and integrating standardized processes for capturing and assessing risks into business processes
Integrating and embedding data protection requirements, with special focus on all end-customer markets
Designing and conducting data protection awareness measures
Risk assessment from a data protection perspective within projects (as part of the Project Management Office)
Recording, preparing and tracking incidents relevant to data protection
Advising top management on risk mitigation and avoiding data protection breaches and compliance adherence
Consulting on data protection in the program management of production digitization
Point of contact for all business groups and service companies on data protection matters
Leading group data protection and global data protection coordinators

Aug 2014 - Dec 2016

2 years 5 months

Oberkochen, Germany

Head of Information Security

Carl Zeiss SMT GmbH

Overall responsibility for information security across all staff divisions (production, IT, shopfloor IT, facility management) and locations
Strategic implementation of a cross-company information security management system, closely aligned with the current ISO27001 standards family
Creation and implementation of security policies, and ensuring compliance as a governance function across the group
Development and rollout of an information security audit system valid in both process and line dimensions
Identifying and classifying risk areas and deriving the required security level and protection needs
Defining and integrating standardized processes for capturing and assessing risks into business processes and IT service management processes
Integrating and embedding information classification, with special focus on all IP-relevant content (R&D, production and strategic innovations)
Ensuring compliance with ISO27001 and measuring the overall state of information security
Evaluating strategic progress along an information security maturity model
Designing and conducting security awareness measures
Risk assessment from an information security perspective within projects (as part of the Project Management Office)
Recording, preparing and tracking incidents relevant to information security, including forensics
Advising top management on risk mitigation in the product development process (avoiding patent blocks, know-how leaks)
Consulting on information security in the program management of production digitization
Owner of the ISMS and maintaining the risk register in the portfolio management of critical business processes

Jul 2011 - Jul 2014

3 years 1 month

Burgkunstadt, Germany

Head of Information Management

Baur Versand

Department head, service and operations
Direct reports: 26 FTE
Deputy IT manager/CIO
Head of 1st and 2nd level end-user support
Head of IT operations (7x24)
Head of software development (e-business)
IT service management and IT governance
Budget, technical and leadership responsibility (approx. 26 staff at 14 sites)
Implementation of a new logistics and ERP system (MS Navision)
Consolidation of subsidiaries (Unito, SPO, BFS)
Implementation of goods fulfillment for Amazon southern Germany, Croatia, Czech Republic
Modernization of IT organization, technology and processes
IT enablement for growth – target €1bn revenue

Jan 2007 - Jun 2011

4 years 6 months

Coburg, Germany

Chief Security Officer of the Brose Group

Brose Gruppe

Ensuring information security of all IT systems at the global staff level and locations for availability, confidentiality and integrity of data and systems
Covering legal or customer-specific IT security requirements (e.g. customer audits) and systematic reduction of identified risks (risk analysis and risk management)
Creation and implementation of IT security policies for the entire group, regular audits
Supporting IT functions in designing internal IT processes (e.g. change management) and deriving protection needs for IT systems and business processes (in cooperation with information owners)
Ensuring compliance with ISO27001 and measuring the overall state of IT security
Designing security awareness (for both IT staff and end users) and technical security reviews of projects (as part of the Project Management Office)
Secure integration and operation of external partners (joint ventures) or outsourced services
Early and comprehensive involvement of production equipment and manufacturing-related IT in the overall IT security view, Industry 4.0

Jan 2004 - Dec 2006

3 years

Coburg, Germany

Team Leader IT Service – Administration (5.5 FTE), Deputy Department Head IT Service (19.5 FTE)

Brose Gruppe

Jun 2001 - Dec 2004

2 years 7 months

Ludwigsstadt, Germany

IT System Administrator

Sparkasse Kronach-Ludwigsstadt

Interrupted by alternative civilian service

Jan 1998 - Jun 2000

2 years 6 months

Ludwigsstadt, Germany

IT System Administrator

Sparkasse Kronach-Ludwigsstadt

Sep 1995 - Mar 1998

2 years 7 months

Ludwigsstadt, Germany

Apprenticeship as a Bank Clerk

Sparkasse Kronach-Ludwigsstadt

Summary

over 25 years of experience in IT management, IT project management, data protection and information security
versatile industry experience, especially in industry (optoelectronics, automotive), trade/logistics, banking and insurance, as well as medical technology
COBIT5, with extensive experience in managing and organizing IT departments
PRINCE2, very experienced in international project management