This website uses cookies. View our cookie policy
United Kingdom
Select regional store:

Welsh Assembly Government Statistical Directorate

Welsh Assembly Government Statistical Directorate

This case study shows how IT Governance helped the Welsh Assembly Government Statistical Directorate achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0)333 800 7000 to discuss your own ISO27001 consultancy requirements.

Welsh Assembly Government Statistical Directorate Case Study

How one public body recognised the intrinsic value of ISO27001 and reaped the benefits of expert support to successfully implement the standard.


The Directorate’s drivers for information security are different from a commercial enterprise: where the latter would use it as leverage to win work, or differentiate itself in the marketplace, the Directorate’s main drivers are to ensure that information held about citizens and organisations in Wales are safe in their hands; to be able to assure its partners and the public that this is the case; and to demonstrate that they are using public funds as effectively and efficiently as possible. The Directorate handles personal and/or sensitive information as well as a wealth of data about public bodies and all the data that they do handle – such as data on vulnerable people – needs to be treated securely.


The Directorate uses a range of different systems and processes with data gathered from many different sources and organisations. However, the planned outcomes of handling the data are similar and processes are in place to improve the consistency of data management.

Project Manager Shila Parbhoo, said ‘The idea was to centralise the handling of information to make it more secure and better structured in a common way.’ Plus, it would be advantageous to capture good practices that were already in place. ISO27001 was identified by the management team as the right way forward.

Amid an intense tender process, IT Governance was deemed best placed to assist the Directorate in achieving that goal.


IT Governance began by working with the Directorate to develop a project plan, including how to approach the Information Security Management System (ISMS).

‘We wanted to make sure that the procedures equated to practical guidance… They had to be practical for us and relevant to the user base,’ said Shila Parbhoo.

Steve Watkins, IT Governance’s Director of Training and Consultancy, added, ‘Not only did we align the objectives and risk assessment with the Directorate’s values and culture, we made sure the ISMS was designed to ensure the Directorate is well positioned to adopt the continually evolving public sector security requirements quickly and effortlessly.’

One of the more demanding challenges was engaging the user community itself – convincing them that the stages were necessary and had to be done in a certain way for all parts of the business. ‘But,’ as Shila Parbhoo observed, ‘that is true of any change management project. We were challenged in a positive way.’

Click here to read more »


A UKAS-accredited Certification Body, in this case LRQA, was engaged to conduct the Directorate’s certification audit which consisted of two stages: the first of which focused on the documentation. Stage 1, unfortunately, did not go as smoothly as it might have. However, there was enough good news to warrant moving forward to the second stage of the audit.

IT Governance and the Directorate agreed that it would be to the Directorate’s benefit if one of IT Governance’s consultants was on hand during the Stage 2 audit. This stage looked at, among other things, practices on site and the evidence created to demonstrate that the Directorate was practicing what it had committed to. Paul Cartwright assisted Shila Parbhoo throughout the audit, answering questions and challenging the auditor where appropriate.

Support during Stage 2 was excellent,’ said Shila Parbhoo. ‘I could not have had the confidence to conduct it without [IT Governance]. If you have a two- or three-day audit, it is well worth getting the expertise, particularly if there is only one person managing the project.’

The Directorate was recommended for ISO27001 certification in July 2010. Paul Cartwright was proud of their achievement, ‘The Directorate had a great culture already embedded which really shone through during the certification process – staff took great pride and ownership in their work. More often than not, this is half the battle with an information security project of this nature – long may it continue.’

Next steps

Now that they are certified, what is next for the Directorate? ‘At this stage, the ISMS is still relatively embryonic, we are still in the early stages of implementation given the changes to the security environment in which we operate,’ said Shila Parbhoo. ‘But I am optimistic that it will mature into something that supports the Directorate in delivering its business objectives and is what the user community is looking for.’

When asked what advice she would give to any organisation embarking on this project, Shila Parbhoo replied, ‘Get management commitment early on – your job will be ten times harder without it. Part of the job is done when you haven’t got to convince them. Also, it’s good to have expertise by your side to draw on.’

The biggest challenge was resourcing. ‘We underestimated the commitment we had to give to the project,’ said Shila Parbhoo. ‘But this had more to do with experience rather than ignorance.’ When asked what she would do differently, she said, ‘I’d have ten people working on it all the time!’

From a lead consultant’s perspective, Paul Cartwright said ‘It would help to keep all the key contributors (Security Champions) involved all the way through the project. Further, encouraging adopters to be ruthless, and to group their assets into as few groups as reasonably possible, also reduces the burden during the risk assessment phase.’

Download this case study now

To get a PDF version of this case study enter your email address below and we will send you a copy straight away.

Just as we have helped the Directorate achieve ISO27001 compliance on time and within budget so we can help you. Call us now on 0845 070 1750.