This website uses cookies. View our cookie policy
United Kingdom
Select regional store:


Charityshare’s ISMS among first in UK charity sector to be certified ISO27001:2013-compliant

This case study reveals how IT Governance assisted Charityshare – a consortium IT venture, jointly owned by The Children’s Society, Alzheimer’s Society and AgeUK – achieve ISO27001:2013 certification.

Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0)333 800 7000 to discuss your own ISO27001 consultancy requirements.

Formed in November 2004, Charityshare enables the charities to share operational IT services, reduce costs through economies of scale, increase return on precious charity funds invested in IT, and guarantees not-for-profit IT provision.

The company’s recent ISO27001:2013 certificate is further reassurance to their funding partners and the outside world that confidential data – which includes records pertaining to vulnerable individuals – are well-protected within the organisation’s information security management system (ISMS), and that the situation will be reviewed on a regular basis.


Charityshare’s Service Delivery Manager, Gary Smallman, a long-time advocate of ITIL-based continual service improvement (CSI) realised that Charityshare’s existing information security management system (ISMS) would meet many of the requirements of the then newly-published international standard for information security, ISO27001:2013.

Gary met with Charityshare’s Operations Board – which consists of the CIOs of the three charities that set up the joint venture, not-for-profit company – to discuss information security. The outcome was a formal recommendation to the Strategic Board – whose members include the CFOs of the same charities – that they should adopt ISO27001 to help protect data assets.

To assist in the process of adapting their existing processes to align with ISO27001 best practice, Gary also recommended that they hire expert consultants from market-leading professional services firm IT Governance Ltd, to ensure swift progress to certification. Both the Operations and Strategic Boards endorsed this engagement and work began on the project in 2013.


Gary explained why ISO27001 was considered a necessary step:

"All three of Charityshare’s equity partners manage a vast amount of sensitive personal data about vulnerable individuals – children, elderly people, people with disabilities – in addition to payment card and bank account details for their financial donors. We have always therefore taken the subject of data security very seriously, however, our ISO27001:2013 certificate proves that our information security management system follows industry best practice. Charityshare is one of the first organisations in both IT services and the UK Charities sectors to hold this prestigious certificate, gained with the expert assistance of IT Governance consultants.”

What attracted Gary to the international standards approach?

Click here to read more »


Nick Orchiston agreed an action plan with Gary and Mark Eagles, who was appointed to the role of information security officer. Mark’s role would involve liaising with the IS managers in each of the three charities as Charityshare began to address the 114 controls that the risk assessment process identified as necessary.

ISO27001 implementation proceeded according to the plan that Charityshare had agreed with Nick and, by early 2014, he was pleased with their progress against the set of target indicators.

Gary: “As we worked from the risk treatment plan, putting in place the controls, the documentation began to grow – perhaps faster than we realised at that stage. Nick drew attention in his report to the document repository as an area for improvement. With hindsight, I would say that this was the most valuable part of the service provided by IT Governance as it saved a great deal of time and cost. In fact, it really paid for their consultancy fees.

Click here to read more »


Charityshare’s ISMS team was able to devise a Statement of Applicability that met with the full approval of the external assessor. An auditor for The Audit People was satisfied that the not-for-profit, joint venture company had met all the requirements of ISO27001:2013 and approved their certification.

The company is among the first in the charities sector globally to gain ISO27001:2013, the version of the standard that was first published in September 2013 – a model for the others to follow.

Next Steps

Gary, Mark and the team at Charityshare intend to maintain their ISMS, continuing to provide a high degree of assurance to their partners and the donors supporting their good work.

Gary: “We will manage our ISMS in the same rigorous way that we manage our IT service management. Every laptop will be encrypted, the latest patching updates will be applied, and regular penetration tests will be carried out by external providers to provide us with evidence that our multi-layered defence in depth is working to protect the confidentiality, integrity and availability of our data assets.

“Charityshare will certainly be using IT Governance in future. Perhaps we may invite Nick and his colleagues to assist us with the work to turn our ITIL-based IT service management processes into an ISO20000-certified Service Management System? Or show Mark and me how to gain ISO22301 UKAS-accredited certification for our business continuity management system that will meet Government’s toughest requirements. One thing is certain: we will continue to rely on what we here believe is the best consultancy service for achieving ISO compliance. I recommend you do the same!”

Download this case study now

To get a PDF version of this case study enter your email address below and we will send you a copy straight away.

Just as we have helped Charityshare to achieve certified ISO27001 compliance on time and within budget, so we can help you.

Call us now on +44 (0)333 800 7000.