Charityshare’s ISMS among first in UK charity sector to be certified ISO27001:2013-compliant
This case study reveals how IT Governance assisted Charityshare – a consortium IT venture, jointly owned by The Children’s Society, Alzheimer’s Society and AgeUK – achieve ISO27001:2013 certification.
Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
Formed in November 2004, Charityshare enables the charities to share operational IT services, reduce costs through economies of scale, increase return on precious charity funds invested in IT, and guarantees not-for-profit IT provision.
The company’s recent ISO27001:2013 certificate is further reassurance to their funding partners and the outside world that confidential data – which includes records pertaining to vulnerable individuals – are well-protected within the organisation’s information security management system (ISMS), and that the situation will be reviewed on a regular basis.
Charityshare’s Service Delivery Manager, Gary Smallman, a long-time advocate of ITIL-based continual service improvement (CSI) realised that Charityshare’s existing information security management system (ISMS) would meet many of the requirements of the then newly-published international standard for information security, ISO27001:2013.
Gary met with Charityshare’s Operations Board – which consists of the CIOs of the three charities that set up the joint venture, not-for-profit company – to discuss information security. The outcome was a formal recommendation to the Strategic Board – whose members include the CFOs of the same charities – that they should adopt ISO27001 to help protect data assets.
To assist in the process of adapting their existing processes to align with ISO27001 best practice, Gary also recommended that they hire expert consultants from market-leading professional services firm IT Governance Ltd, to ensure swift progress to certification. Both the Operations and Strategic Boards endorsed this engagement and work began on the project in 2013.
Gary explained why ISO27001 was considered a necessary step:
"All three of Charityshare’s equity partners manage a vast amount of sensitive personal data about vulnerable individuals – children, elderly people, people with disabilities – in addition to payment card and bank account details for their financial donors. We have always therefore taken the subject of data security very seriously, however, our ISO27001:2013 certificate proves that our information security management system follows industry best practice. Charityshare is one of the first organisations in both IT services and the UK Charities sectors to hold this prestigious certificate, gained with the expert assistance of IT Governance consultants.”
What attracted Gary to the international standards approach?
Click here to read more »
“I am a firm believer in processes, procedure and structure. Throughout my career, I have adopted ITIL best practice to ensure that there is a process in place for everything that we do. Continual process improvement is the key to business success. No matter how good your ideas, you need a system to make them work – and this is the stumbling block that leads to poor performance. Process improvement is greatly underestimated.
“As soon as IT Governance’s consultant, Nick Orchiston, walked us through the outline of ISO27001 procedures and controls, I was at home with the Standard. My ITIL training and experience, combined with PRINCE2 project management methodology, has really helped me to build an effective management structure at Charityshare – the value of which is evident in the scale of our enterprise and the support that we have from big name partners.
“ISO’s aim and expectation is clearly that each of its International Standards represents a worldwide consensus regarding best practice – in the same way that the ITIL Library and PRINCE2 are champions of best practice and have evolved over the years to meet changing conditions. ISO27001 is certainly no exception.
“I looked at the new version of ISO27001 which I bought from IT Governance – that is, ISO27001:2013 – and saw in the Standard evidence of very positive developments. I particularly liked the changes with regard to risk assessment. For example, you need to identify risk owners for each risk. We have always made our decisions at Charityshare on the basis of proper risk assessments. It’s vital that managers take responsibility for their areas of risk. What’s the point of evaluating a risk if there’s no-one to do what’s needed to mitigate that risk? And as I stated earlier, we have some serious information security risks to take account of.
“IT is now a critical part of any charity’s business. Charityshare provides a focused, leaner entity to enable more of the revenue from donors to go to the work of the charity instead of overhead. We have to balance the need to provide savings with the risks of handling so much data, so risk management is part of our DNA.
“In ISO 27001:2013 the risk owners must accept the residual risks and approve the Risk treatment plan – which fits the way we work. Treatment options in the 2013 revision are not limited only to applying controls, accepting risks, avoiding risks, and transferring risks as they were in the 2005 revision – basically, you are free to consider any treatment option appropriate. Once again, that’s how we work: risk treatment plans are prepared by the risk owners, who include the three charities that own Charityshare. Risk management has taken over the role of preventive actions.
“It suffices to say that ISO27001:2013 was perfect for our situation and because of the way that we already worked we were 95% of the way there. What we needed from IT Governance was a management review of our existing processes and controls, followed by step by step advice on the most effective means of transitioning what we had to the requirements of the Standard.
“The scope had to include the operational aspects of the three charities, so this review was a sizeable one in the circumstances. However, we were genuinely impressed at the dedication of the IT Governance team led by Nick.”
Nick Orchiston agreed an action plan with Gary and Mark Eagles, who was appointed to the role of information security officer. Mark’s role would involve liaising with the IS managers in each of the three charities as Charityshare began to address the 114 controls that the risk assessment process identified as necessary.
ISO27001 implementation proceeded according to the plan that Charityshare had agreed with Nick and, by early 2014, he was pleased with their progress against the set of target indicators.
Gary: “As we worked from the risk treatment plan, putting in place the controls, the documentation began to grow – perhaps faster than we realised at that stage. Nick drew attention in his report to the document repository as an area for improvement. With hindsight, I would say that this was the most valuable part of the service provided by IT Governance as it saved a great deal of time and cost. In fact, it really paid for their consultancy fees.
Click here to read more »
“It’s not that we were doing anything wrong. Rather, Nick saw ways of reducing the total effort of maintaining three sets of records for each of our three partner charities, removing the duplication that was creeping in. He helped us to devise a better template and fostered our adoption of the intranet document centre that was praised by the external assessor for ISO27001.
“It’s important to stress just how important this help was to us. Every employee of Charityshare is an employee of all four companies: AgeUK, Alzheimer’s Society, The Children’s Society and Charityshare itself. In a sense, we were used to quadruple vision; which could have been a significant drawback in terms of the ISO27001 documentation that we thought would be needed. In the same way that IT Governance helped us to bring together a multidimensional risk model that includes the strategic and business risks of our partners, Nick was able to streamline our thinking about what we needed to document in a single system.
“The result worked very well for us indeed. A model of integration!” IT Governance supplied Charityshare with an ISO27001:2013 Documentation Toolkit, which Gary and Mark purchased in 2014. To quote Mark: “The IT Governance ISO27001:2013 Toolkit was a very valuable source of ISMS document templates that saved us a great deal of time, money and effort. Along with their help provided through Management Workshops that put us through our paces and tested our assumptions, the support materials were a key part of our success.
“If I had to do the whole thing over again, I would call in IT Governance and buy their Toolkit. From day one, I knew that Nick would get us through the hoops. The confidence that his involvement gave us meant that we were there at Stage 1 and Stage 2 audits sooner than we planned for.”
Charityshare’s ISMS team was able to devise a Statement of Applicability that met with the full approval of the external assessor. An auditor for The Audit People was satisfied that the not-for-profit, joint venture company had met all the requirements of ISO27001:2013 and approved their certification.
The company is among the first in the charities sector globally to gain ISO27001:2013, the version of the standard that was first published in September 2013 – a model for the others to follow.
Gary, Mark and the team at Charityshare intend to maintain their ISMS, continuing to provide a high degree of assurance to their partners and the donors supporting their good work.
Gary: “We will manage our ISMS in the same rigorous way that we manage our IT service management. Every laptop will be encrypted, the latest patching updates will be applied, and regular penetration tests will be carried out by external providers to provide us with evidence that our multi-layered defence in depth is working to protect the confidentiality, integrity and availability of our data assets.
“Charityshare will certainly be using IT Governance in future. Perhaps we may invite Nick and his colleagues to assist us with the work to turn our ITIL-based IT service management processes into an ISO20000-certified Service Management System? Or show Mark and me how to gain ISO22301 UKAS-accredited certification for our business continuity management system that will meet Government’s toughest requirements. One thing is certain: we will continue to rely on what we here believe is the best consultancy service for achieving ISO compliance. I recommend you do the same!”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped Charityshare to achieve certified ISO27001 compliance on time and within budget, so we can help you.
Call us now on +44 (0) 845 070 1750.