London Pensions Fund Authority (LPFA) achieves ISO27001 and ISO14001 certifications 6 months ahead of deadline
This case study shows how IT Governance helped LPFA achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
LPFA Case Study
In the highly-competitive market for pension fund administration, cost-effectiveness and efficiency are the vital components for success. LPFA is, therefore, a cost-conscious and well-run organisation, but also one that is aware of its responsibilities when it comes to protecting the security of data and taking a leadership position in improving its environmental impact. Serving some of the most prestigious pension clients in the UK public sector, and expanding its business through winning commercial tenders, LPFA is committed to demonstrating its good practice through compliance and accredited certification to appropriate standards.
The Board decided in 2010 that the organisation should seek certification to ISO27001, the Information Security Management System (ISMS) Standard, and ISO14001, which addresses the management of an organisation's environmental impact in a comprehensive, systematic, planned and documented manner. IT Governance was chosen to provide a comprehensive mix of consultancy support, training and facilitation for the projects.
LPFA administers its own fund and provides a wide range of services centred on the Local Government Pension Scheme (LGPS) ranging from full pension administration, partnerships with councils, providing scheme communications, hosting of pension websites and the training of administration staff. As part of the continuing process improvement and commercial expansion programme through tender business with local authorities, LPFA’s Board tasked Les Higgs, Business Improvement and Programme Manager, and Data Quality Analyst, Lauren McHugh, with planning and implementing a programme of standards – compliance projects, beginning with the ISO27001 Information Security Standard and the ISO14001 Environmental Management System Standard.
“We were approached at the Infosec Europe 2010 exhibition by Les with regard to security penetration testing services. We offered our ‘pentest’ – a technical method of evaluating the security of a computer system, or network by simulating an attack from malicious outsiders,” says Steve Watkins, Director, Training & Consultancy, at IT Governance. “We carried out the penetration test in 2010 and, when we presented the results, had the opportunity to talk to Les and his colleagues about LPFA’s emerging plans for information management system security and environmental compliance projects. The following year, Les called us, saying that LPFA needed to achieve certification in both ISO27001 and ISO14001 Standards by Q1 of 2012. We were invited back to scope both projects and estimate the costs, before submitting a proposal for the mentoring and in-house training work that would be required.”
To address the requirements of commercial tenders in the public sector and to achieve quality and performance improvements across the enterprise, the LPFA Board determined that a compliance programme should be undertaken.
They chose ISO international standards that are popular, due to being generic (i.e. process-based), meaning that they can be applied to any organisation, across any sector, large or small, and irrespective of whether it produces products or is service related, including charities and the voluntary sector.
Click here to read more »
Two international standards were selected in the first instance:
The ISO27001 Information Security Standard is the international specification that helps businesses and organisations throughout the world to develop a best-practice information security management system (ISMS).
Information and information systems are vital to all organisations. ISO 27001 adopts a risk-based approach and sets out specific requirements, against which an organisation’s information security management system (ISMS) can be audited and certified.
ISO27001 is designed to harmonise with ISO9001:2008, ISO14001:2004, ISO20000 and others for effective management system integration. It utilises the Plan-Do-Check-Act (PDCA) model, and reflects the principles of the 2002 OECD guidance on the security of information systems and networks.
The ISO14001 Environmental Management System Standard helps organisations to be more environmentally friendly, and provides guidance on how to measure consumption and reduce waste. An effective programme to reduce, re-use and recycle will produce benefits by making tangible cost savings, reducing environmental impact and enhancing environmental credentials.
ISO14001 is particularly well recognised by central and local government, saving costly and lengthy environmental credential checks. With ever greater pressures on environmental performance, the private sector has, increasingly, demanded the Standard in supply chains, too.
ISO14001 certification also helps to win business: a fact demonstrated by LPFA’s success in securing commercial tenders, as a result of being compliant to a standard that is, increasingly, a requirement.
Les Higgs was impressed with the detail and appropriate handling of the issues in the IT Governance project proposal. He was also persuaded that Steve and his colleagues had the relevant knowledge: “We felt that IT Governance were ‘close to our roots’ in terms of understanding the needs of LPFA and the public sector. They won our account on a purely competitive tender basis against bids from leading professional services companies in the field – and it’s a decision we have never regretted.”
Following an initial project review, IT Governance assigned a consultant with a strong track record in both ISO27001 and ISO14001 compliance projects. Nick Orchiston, a management systems consultant with more than 17 years’ experience, was chosen for his suitability to lead the engagement and introduced to Les and Lauren, who were immediately impressed by his knowledge. Nick has successfully taken organisations similar in profile to LPFA through quality (ISO9001), health & safety (OHSAS18001), environmental (ISO14001) and information security (ISO27001) management systems compliance. He has also supported a wide variety of organisations, from SMEs to global corporations, through to accredited certification to all of these standards.
Click here to read more »
Les explains, “LPFA is known as a pension fund manager and administrator with decades of knowledge of public sector needs, vast experience and a high level of detail in our delivery. When it comes to choosing external consultants, we look for the same level of total commitment to excellence in their service delivery; with IT Governance, our confidence was more than justified.”
“When it comes to choosing external consultants, we look for the same level of total commitment to excellence in their service delivery; with IT Governance, our confidence was more than justified.”
In fact, I can say with pride that our certification audits for ISO27001 and ISO14001 were less demanding than our set-up process led by our consultant, Nick Orchiston, who prepared us systematically and thoroughly. Nick helped us to define our information security and environmental policies and to conduct our risk assessments. I have to admit that the whole process was somewhat nerve-wracking, but completely worthwhile”.
“When we first met Nick, Lauren and I realised that we had a lot to learn. His knowledge of the detail involved in compliance was impressive,” says Les. “We realise now that IT Governance saved us weeks of costly effort finding out the hard way – and that time savings translated directly into LPFA achieving certification well ahead of our target dates. The time savings more than paid the cost.”
“We realise now that IT Governance saved us weeks of costly effort finding out the hard way – and that time savings translated directly into LPFA achieving certification well ahead of our target dates. The time savings more than paid the cost.”
IT Governance really helped to speed up the process. They proved that they had genuine substance, and not just a glossy surface, when it came to transferring knowledge in the very short timeframe required.”
IT Governance also ran training sessions for senior and middle management, and for LPFA’s staff, both to explain the role of the ISO27001 and ISO14001 Standards and to secure their involvement.
Lauren McHugh was appointed from another LPFA internal team when the programme began. She was selected because of her eye for detail. “For my part, I found the IT Governance’s Lead Implementer course invaluable in orienting me towards the requirements of the ISO27001 Standard,” says Lauren. “I was relatively new to the subject of information security. IT Governance’s trainers understood my requirements, but what I found most helpful was the detail. After completing the intensive three days on the IT Governance course, I felt a lot more confident.”
“When we began implementing ISO14001 to improve LPFA’s environmental performance, Nick was, again, a mine of valuable information. Systematically managing environmental impacts involves allocation of resources, assignment of responsibility and ongoing evaluation of practices, procedures and processes. The emphasis here is on making everyone more aware, and factoring environmental management into their working lives. We began to achieve this in ways that had a practical and positive impact. For example, we secured multifunctional printers that achieved significant savings in consumables. We estimate that we have produced a £20,000 saving in printing and paper usage, which has helped us to achieve our environmental targets while reducing costs. The programme has led to a x5 increase in recycling in the same way. LPFA even switched cleaning services from morning to evening, so that the cleaners could ensure that the lights were turned off overnight. The savings have been tremendous. At the start, there was a degree of scepticism about the benefits of applying ISO1400: now everybody buys in.”
“The savings have been tremendous. At the start there was a degree of scepticism about the benefits ISO14001: now everybody buys in.”
Les is quick to highlight the main benefit of engaging IT Governance. “With ISO27001, we had a contractual deadline of April 2012 to meet in order to secure a major new client contract. Nick brought us to compliance by October 2011. Following the audit conducted by BSI, we had only three minor non-conformities, but a clean bill of health. The sense of a job well done ran all over the organisation. Once again, some of the changes seem fairly small: staff mobiles are now BlackBerrys (more secure), all laptops are encrypted, data is much more organised – hence it does not get lost and/or removed easily, and our clear desk policy means that confidential client information is not left sitting around waiting to be read by any unauthorised parties. Likewise, when we transfer documents, a series of confidentiality checks are applied. We have a quarterly management review to see if the measures are working and what we can do to improve security. ISO27001 has brought significant and beneficial cultural change – an issue which our customers are taking very seriously, as reputational damage can have a huge impact. We are winning new business because we are being responsible – and can demonstrate it!”
Click here to read more »
“The impact of ISO14001 has been readily understood by all the members of our organisation, translating into responsible environmental practices and procedures, and saving LPFA’s money,” continues Les. “What started out as a requirement to win contracts, has become a way of managing and working.”
“What started out as a requirement to win contracts, has become a way of managing and working.”
Mike Taylor, LPFA’s Chief Executive, confirms the commercial and operational value of the standards compliance programme: “I am delighted that LPFA has managed to achieve ISO accreditation six months ahead of deadline. Key elements, such as enhanced data security and environmental considerations, have become part of life across the whole organisation. This accreditation should give confidence to all Fund members and clients that their information is in good hands. The process had total commitment from the project team, IT Governance and all staff and it was this that led to a successful implementation.”
“This accreditation should give confidence to all Fund members and clients that their information is in good hands. The process had total commitment from the project team, IT Governance and all staff and it was this that led to a successful implementation.”
LPFA is now planning to extend its compliance programme to include several other standards, including BS25999 Business Continuity Management.
The last word should go to Les: “IT Governance has been an invaluable partner to LPFA. We want them to work with us in the future”.
“IT Governance has been an invaluable partner to LPFA. We want them to work with us in the future.”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped LFPA achieve ISO27001 and ISO14001 compliance on time and within budget so we can help you. Call us now on 0845 070 1750.