In Säffle Municipality, a fragmented and person-dependent way of working has been replaced by a long-term structure for information security. Today, Säffle is equipped to take the next step in cybersecurity and NIS2.
Säffle Municipality is located in southern Värmland and has 15,000 inhabitants. Its main town is known as Sweden’s youngest city. Geography also has a clear impact on the municipality. Distances are long and resources are often limited. For civil servants, this creates a practical reality where they often need to take on several roles. The municipality’s limited size increases the need for structure — rather than the opposite.
The work with information security illustrates this clearly. Structure and close collaboration have been — and continue to be — crucial components as requirements increase. In Säffle, they have been essential for creating an overview and laying the foundation for long-term success.
Excel and scattered documents
Sometimes the first step is not to shift up a gear, but to pull the handbrake. And that is exactly what happened at the start of the systematic information security work in Säffle.
The person who pulled the handbrake was Lotta Holm, Business Developer at the Municipal Executive Office.
We needed system support to bring everything together. Having system support was crucial for being able to work strategically.
- The idea was to do everything using Excel and scattered documents. But it became clear to me that we needed system support to bring everything together. Otherwise, we would have ended up with separate documents and more silos. Having system support was crucial for being able to work strategically, says Lotta.
For Lotta, it quickly became clear that the work could not be built on loose documents and person-dependent follow-up. Creating structure and a long-term way of working required shared system support. The choice therefore fell on Stratsys’ information security module.
Lotta Holm, Business Developer, Säffle Municipality
Collaboration across municipal borders
Lotta already had a central role in Säffle’s development work. In a smaller municipality, where many employees share areas of responsibility, her broad operational insight became a strength.
Since 2019, she has led and coordinated the municipality’s work with information security. Her responsibilities have included everything from governance and training to incident management and follow-up.
The starting point for the systematic work was a joint collaboration between the neighbouring municipalities of Arvika, Eda and Årjäng. The municipalities shared the information security function by recruiting a joint information security coordinator.
However, the work truly gained momentum when an audit identified clear shortcomings in the Municipal Executive Board’s information security work. The review provided both support and direction for the next step.
The work shifts into rocket mode
The work now increased in intensity. The municipality moved into project mode. As Lotta herself describes it: rocket mode kicked in.
What followed was a year in which the basic structure was built, with governing documents, training, risk work and routines for incident management. The work was centred around the implementation of Stratsys’ information security module, which became the hub for building the municipality’s information security management system.
This was also where the Build ISMS project took shape. It was a change initiative aimed at establishing the basic structure for the municipality’s information security work. Data protection and information security were brought together in a shared organisation, while governing documents, training, risk work and incident routines were established in parallel.
The core of Säffle’s work became the implementation of Stratsys’ information security module. The product was used as the foundation for building the municipality’s information security management system.
We used Stratsys information security module. It became the foundation for the entire structure and for how we still work today.
- Our entire implementation and the way we built our ISMS were based on Stratsys’ information security module. It became the foundation for the whole structure and for how we still work today. It makes a big difference in practice, says Lotta.
A clear governance model
An important aspect was to ensure that the work did not become a temporary initiative. It needed to become part of Säffle’s regular governance. A decision was therefore made to move from project to management.
Instead of starting from scratch ahead of NIS2, the municipality chose to build on the existing structure. Governing documents, routines, templates and system support formed the basis for the next stage of development. The focus was on developing what was already in place.
- We have many modules in Stratsys, but since everything follows the same structure, users recognise the way of working. It creates a common thread throughout the entire process, even for infrequent users. Having everything gathered in one place is a major advantage, says Lotta.
With Stratsys as the foundation, the municipality also gained a completely different overview of the ongoing work.
The risk matrices help us clearly show management which risks exist.
- The risk matrices help us clearly show management which risks exist if we do nothing, compared with what happens if we take action. They have become a practical support for visualising risks, prioritising the right measures and creating alignment across the organisation. At the same time, the overview is invaluable for me as coordinator, says Lotta.
Courage, commitment and structure
Säffle has a clear picture of its current situation. This provides a concrete foundation for prioritising the next steps and continuing to build on the structure already in place.
The structure and overview are valuable. Being able to quickly compile information from across the entire organisation would have been much more difficult without Stratsys.
- For us as a smaller municipality, the structure and overview are valuable. Being able to quickly compile information from across the organisation would have been much more difficult without Stratsys. In addition, the support from Stratsys has been incredibly important. They are fast, flexible and very accommodating. We can build a lot ourselves, but we know that help is always available when we need it. That has made a huge difference for us, says Lotta.
Perhaps that is where the most important lesson lies. Information security work is never finished. It is about building, step by step, a structure that holds over time as new requirements and new risks emerge.
Säffle has shown that even a smaller municipality with limited resources can create a long-term and systematic way of working. Most things are possible when there is the courage to get started, a willingness to keep building — and a structure that holds over time.
Would you like to learn more about how Stratsys can help your organisation with information security? Explore our products, or contact us and we’ll be happy to tell you more.
