The case for CSR/ Sustainability Reporting Done Responsibly


Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How Ericsson promotes information security and privacy

Case study: How Ericsson promotes information security and privacy

Ericsson is a leading global provider of Information and Communication Technology (ICT) to service providers, with approximately 40% of the world’s mobile traffic carried through its networks. Accordingly, information security and the protection of personal data, focusing primarily on maintaining the confidentiality, integrity and availability of information while not hindering operations, is a top priority for Ericsson  Tweet This!.

This case study is based on the 2018 Sustainability and Corporate Responsibility Report by Ericsson published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ ESG/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1Abstract

As both the value of information and the capabilities of threat actors increase, information security and privacy have become issues of national importance globally and a key consideration for operations in Information and Communication Technology (ICT). In order to promote information security and privacy Ericsson took action to:

  • implement policies and directives
  • address privacy risks

What are the material issues the company has identified?

In its 2018 Sustainability and Corporate Responsibility Report Ericsson identified a range of material issues, such as anti-corruption, product energy performance, occupational health and safety, diversity and inclusion. Among these, promoting information security and privacy stands out as a key material issue for Ericsson.

Stakeholder engagement in accordance with the GRI Standards              

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The reporting organization shall identify its stakeholders, and explain how it has responded to their reasonable expectations and interests.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups Ericsson engages with:  

Stakeholder Group
Civil society
Non-govern­mental organisations (NGOs)
Industry partners
Gen­eral public

How stakeholder engagement was made to identify material issues

To identify and prioritise material topics Ericsson carried out surveys and dialogue with employees, customers, investors, and other stakeholders.

What actions were taken by Ericsson to promote information security and privacy?

In its 2018 Sustainability and Corporate Responsibility Report Ericsson reports that it took the following actions for promoting information security and privacy:

  • Implementing policies and directives
  • Ericsson’s Audit and Compliance Committee of the Board of Directors receives updates on cybersecurity at least twice a year, and includes security as part of its annual training. Information security and privacy incidents are reported through Ericsson’s Security Incident Management System (SIMS), and routed to the appropriate function for case handling. Ericsson has an established Security and Privacy Framework, to make sure issues are considered throughout the entire product lifecycle, and a set of Policies and Directives to establish the requirements for information security and privacy across the company. Ericsson’s Product Security framework includes a mandatory area of regulation specifically for security and privacy, applicable to all products. Ericsson also enforces a Crisis Management Directive, and has a Group Crisis Management Council, responsible for the handling of major incidents or crises that affect Ericsson.
  • Addressing privacy risks
  • The nature of Ericsson’s business, and of the data that its products transmit, requires the company to be at the forefront of data protection and information security. Ericsson has adopted a risk based approach for investment in cybersecurity and privacy. The potential impact on Ericsson’s brand, in terms of customer trust and market access, is weighed against the cost of implementing tools, processes and technology to make sure that Ericsson can protect its customers and data. Safe and secure telecommunications networks and services provide the foundation for Critical National Infrastructure such as national security and emergency coordination, healthcare, education and finance services. More secure networks require less downtime and unplanned maintenance, which increases trust in the infrastructure. Ericsson’s information security and privacy frameworks are designed to make sure its products and services are more resilient to attacks, and less likely to be impacted by unforeseen consequences. In 2018, Ericsson also launched a certification programme, Ericsson Certified Security Associate, and two training courses for all employees, Data Privacy 2.0 and Be Security Aware, which were completed by more than 83,640 and 82,060 employees, respectively. Ericsson’s Information Security Management System is certified to ISO/IEC 27001.

Which GRI Standards and corresponding Sustainable Development Goals (SDGs) have been addressed?

The GRI Standard addressed in this case is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data


Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data corresponds to:

  • Sustainable Development Goal (SDG) 16: Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels
  • Business theme: Compliance with laws and regulations, Protection of privacy


80% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified and IEMA approved Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI-Standards Certified and IEMA approved Course you will be taking the first step in gaining the many benefits of sustainability reporting.



1) This case study is based on published information by Ericsson, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:


Note to Ericsson: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.