Information security with a system: Helvetia’s journey to an ISMS at scale

Discover how Helvetia, in close partnership with Swiss GRC, established a group-wide Information Security Management System (ISMS) that not only ensures regulatory compliance, but also delivers transparency, efficiency, and sustainable governance across the organization.

Background and objectives

With approximately 14,400 employees worldwide, Helvetia is one of Switzerland’s largest and most internationally active insurance groups. Headquartered in St. Gallen, the company operates in Switzerland, Germany, Austria, Italy, Spain, and France, as well as in select international markets such as Liechtenstein and Singapore. Helvetia is active across three business segments – non-life, life, and asset management – making it one of the most broadly diversified players in the Swiss insurance market.

Few organizations have advanced as far as Helvetia in the area of information security. By implementing a decentralized ISMS that spans multiple business lines and international locations, Helvetia has set a benchmark for the industry. To realize this ambitious objective, Helvetia partnered with Swiss GRC to co-design and implement one of the most mature ISMS implementations in the market – a system that combines centralized governance with localized execution.

The objectives were clear:

• Ensure group-wide consistency while allowing for local adaptability
• Compliance with FINMA requirements as well as DORA and EU-GDPR
• Align with leading standards such as ISO, NIST, and ISF
• Establish a clear governance framework with defined responsibilities across group and local levels
• Enhance efficiency and transparency through seamless integration and process automation

Implementation and collaboration

In addition to the core ISMS processes, Helvetia also integrated data protection and physical security requirements into the solution. The alignment of information security and data protection represents a recurring challenge for many organizations, as responsibilities, control frameworks, and regulatory requirements are often managed in silos. By embedding these domains into a unified system, Helvetia was able to streamline complexity, eliminate redundancies, and establish clear lines of accountability.

At the core of the solution is an asset-centric data model, capturing applications, IT services, platforms, and business processes. All changes, risks, and exceptions are linked directly to these assets, providing a flexible and scalable structure.

A hallmark of the program was its deep integration with existing systems, including:

• LeanIX and ServiceNow for architecture and configuration data
• Jira and Tempus for project and change management with embedded security approvals
• SAP Ariba for supplier management and annual security assessments
• Splunk for vulnerability and exception processes

The ISMS is operated in a dedicated Azure cloud instance managed by Swiss GRC. All data resides in Europe and is encrypted with Helvetia’s own keys – a decisive factor for compliance with Swiss data protection laws and the safeguarding of sensitive information.

Project challenges and solutions

Key outcomes and benefits

By leveraging the GRC Toolbox, Helvetia has established a group-wide ISMS that today serves as a central management instrument – far exceeding the boundaries of pure compliance.

The key benefits include:

• Compliance by Design: Regulatory requirements and standards systematically integrated
• Operational Efficiency: Automated workflows and system interfaces reduce manual effort
• Transparency: Dashboards and reports provide clear insights for management and business units
• Future-Readiness: Continuous development with automated controls and integration of cloud security data

The ISMS has become not only a compliance mechanism but a strategic enabler of security, resilience, and sustainable corporate governance.