dsicmm achieves ISO27001 certification without tears
This case study shows how IT Governance assisted dsicmm in achieving ISO27001 certification with the minimum of fuss. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
dsicmm Case Study
After a challenging Stage 1 audit, top direct marketing group dsicmm called in IT Governance to advise on the requirements of ISO27001 and prepare the company for a successful Stage 2 inspection.
In mid 2006, dsicmm achieved compliance with the BS7799 information security standard to satisfy data protection requirements for its direct mail databases. In the course of this, the company became aware of ISO27001, the recently launched global standard. dsicmm’s Board decided that, as part of the company’s drive for excellence, ISO27001 accredited certification should also be achieved. Not only was it seen as a potential differentiator in their market but, given that many of dsicmm’s customers are financial services businesses, the company felt the standard would increasingly become a prerequisite for future business.
dsicmm’s Head of Business Control, Carol McCarthy, and Group IT Manager, Stephen Lawrence, were therefore tasked with matching the company’s existing security arrangements to the new standard’s requirements. Given dsicmm’s already tight IT security and strong Quality Assurance culture, the company felt well placed to achieve ISO27001 compliance in a short period.
However, a Stage 1 independent audit conducted in May 2007 identified various gaps between the security measures that were demonstrated and the specific demands of ISO27001. While the company passed this audit, various non-conformances were highlighted that needed fixing to pass a Stage 2 audit and achieve certification. It had yet to demonstrate the existence of an Information Security Management System (ISMS) that complied with all aspects of ISO27001. As the company had already devoted considerable time to the project, it felt the need for some specialist advice and, in July, called in IT Governance to assist.
“In some ways, it seems harsh that dsicmm was challenged at its audit, because it had many of the right measures engrained in its business,” says Steve Watkins of IT Governance, who led the engagement. “However, ISO27001 is very specific in its requirements and, to compound matters, its language is generic, so it can be hard for the uninitiated to understand precisely how it applies to them.”
IT Governance and dsicmm worked together to establish the various items of documentary proof that the auditors wanted to see. For example, the company needed a full asset register, a documented Risk Assessment and a prescribed format for incident and audit reports. While many of the requirements were performed routinely, dsicmm needed clear, written proof that its information security operated as a management system and was in use right across the business. McCarthy describes their challenge as like the famous Morecambe & Wise sketch with Andre Previn: “Just like Eric Morecambe at the piano, we were playing all the right notes, but not necessarily in the right order.”
Following an initial review, IT Governance assigned a consultant to help dsicmm to prepare for and undertake an asset-based risk assessment. This exercise is a fundamental requirement of ISO27001 and must be performed exactly as specified. To simplify the process, dsicmm used vsRisk, a purpose-built ISO27001 risk assessment software tool that IT Governance had developed together with software house Top Solutions. This presented existing dsicmm risk assessment data in a manner acceptable to auditors, allowing the process to be completed in a single week – an exceptional achievement for any business.
Watkins then advised on the preparation of the other documentation, including how best to integrate the requirements to achieve approval to APACS55, a related security standard for businesses undertaking cheque printing. He visited the company twice in the first month to review progress and give input where required. For example, he advised on the development of an internal audit plan and ensured this was correctly structured and worded for its purpose. “We were very experienced in writing QA policies and documentation, but effectively had to learn a new language in order to write about security,” says McCarthy. IT Governance also ran training sessions for senior and middle management, both to explain the role of the standard and to secure the necessary buy-in to bring the ISMS fully to life.
McCarthy and Lawrence also ran cascade training sessions for other employees to ensure that awareness was shared throughout the business.
After two months of preparation dsicmm felt ready for its audit and the Stage 2 assessment was conducted in October 2007.
In contrast with its Stage 1 audit, dsicmm was able to confidently present the Stage 2 assessors with a comprehensive set of documentation that showed the workings of its ISMS. For both ISO27001 and APACS55, the company passed its audits with flying colours.
“Our Stage 2 audit was far less nerve-racking than our first,” says McCarthy. “We benefited hugely from IT Governance’s advice, and they effectively mapped out the route we needed to follow. If I were faced with doing the project all over again, the first thing I would do is get an expert consultant in to make sure we were tackling things in the right way. IT Governance really know their stuff and immediately impressed us with their calm and reassuring approach.”
dsicmm also recommends allowing sufficient time prior to attempting an audit. “Even though we felt pretty used to business controls, the preparation was very time-consuming. Admittedly, we took a few wrong turns along the way but, even then, I feel a business needs to allow six months to a year before facing the rigours of an audit,” she says.
Watkins observes, “dsicmm’s challenge wasn’t about culture change – it already had a very thorough and documented approach to its work. It was mainly about interpreting the standard and ticking boxes in the right order. With a successful Stage 2 under its belt, the business is now very well placed to keep its ISMS alive for the long term.”
McCarthy agrees and says that through its ongoing programme of grassroots training, communication and internal audits, dsicmm’s ISMS is set to become truly “self-propelling”.
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have eased dsicmm's way to achieving ISO27001 compliance on time and within budget, we can help you. Call us now on 0845 070 1750.