Information security maturity audit & consultancy for CGM

Our team conducted an information security assessment of the products of a global medical software company and helped them build an application security framework based on OWASP standards
Leading digital healthcare solutions provider
Information security assessment of the products of a global medical software company
  • Business need:

    CompuGroup Medical (CGM) wanted to make sure their application security state across all services was at a high level. This required inspecting over 200 services, so CGM were looking for an application security provider to run an extensive yet swift audit.

  • Result:

    As a result of our application security assessment, CGM gained a helicopter view of their security posture and got a detailed plan for improving the security framework. We also helped our Client build a transparent monitoring process on top of custom real-time security tracking tools.

Quote background
Sigma Software helped us to identify improvement potential for our product security framework
Jochen Klein

Collaboration overview

Key Facts

CompuGroup Medical (CGM) provides top-tier medical software for healthcare businesses worldwide. The company was actively extending their offering with more services and wanted to make sure their information security compliance was high.

So, CGM engaged our IT security consulting team to conduct a complex audit, spot improvement areas, and help with forming a security optimization plan. We developed a custom approach to the audit, safeguarding that the process fits the timeframes set by the Client.

  • Performed a two-stage application security assessment of 260 services, complementing those with a detailed summary of the findings and suggestions for best-practices integration
  • Reviewed the overall CGM’s information security management framework and delivered a set of recommendations for its advancement
  • Established a reliable capability for continuous monitoring of the informational security state across all CGM’s services and markets

We were looking for a process and technology-agnostic methodology to assess different services (API, app, web, desktop, etc.) and cover the whole development lifecycle. Our information security consulting experts chose the OWASP SAMM, DSOMM, and ASVS standards to set tailored evaluation criteria for each service and technical security controls.

As our team needed to assess hundreds of CGM’s services, we opted for a two-stage audit, shortening the assessment time-to-value. So, we thoroughly reviewed 60 critical services that involved sensitive data and prepared questionnaires to audit the rest swiftly.

  • Stakeholders’ self-assessment based on the custom questionnaires and instructions provided by our experts to navigate the Client’s team during the audit
  • Review and analysis of self-assessment results to prioritize services and select those that require additional inspection
  • Personal interviews and evidence checks with stakeholders to examine the security of prioritized services more deeply
  • Analysis of auditing results to prepare the infosec maturity report, including improvement areas and action points for refining information security compliance management of each service


As a leading medical software company, CGM strongly focuses on information security. Thus, the final goal of the app security audit and consulting was not only to check the information security level of each service but also to optimize the entire security framework.

Therefore, our experts both conducted the audit and established the necessary tools to enhance the Client’s IT security management framework and enable CGM to ongoingly monitor the effectiveness of their infosec initiatives.

  • Outlined the key security metrics that showcase the infosec maturity level across all CGM services
  • Developed a Power BI dashboard for real-time information security monitoring, historical data investigation, and emerging security trends tracking
  • Built a Power App enabling stakeholders to quickly update services security state and keep the dashboard indicators relevant


Despite the tough timeline, Sigma Software was able to manage the project perfectly from a technical and organizational perspective. The potential for improvement identified will help us to further strengthen our security posture and protect our customers' data appropriately.
Jochen Klein, CISO at CGM
Jochen Klein



Collaboration with CGM was a rewarding yet challenging experience. We understood that a conventional method of auditing each service using the same criteria would be expensive, inefficient, and time-consuming. So, we chose a 'smart' approach for more efficiency and value. It allowed us to boost infosec awareness, pinpoint improvement steps after each audit, and provide accurate suggestions for general enhancements.
Liza Kopylova
Liza Kopylova

Senior Project Manager

Sigma Software

Cybersecurity consultants for healthcare industry
Let us discuss how our team can contribute to your success