Welsh Assembly Government Statistical Directorate
This case study shows how IT Governance helped the Welsh Assembly Government Statistical Directorate achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
Welsh Assembly Government Statistical Directorate Case Study
How one public body recognised the intrinsic value of ISO27001 and reaped the benefits of expert support to successfully implement the standard.
The Directorate’s drivers for information security are different from a commercial enterprise: where the latter would use it as leverage to win work, or differentiate itself in the marketplace, the Directorate’s main drivers are to ensure that information held about citizens and organisations in Wales are safe in their hands; to be able to assure its partners and the public that this is the case; and to demonstrate that they are using public funds as effectively and efficiently as possible. The Directorate handles personal and/or sensitive information as well as a wealth of data about public bodies and all the data that they do handle – such as data on vulnerable people – needs to be treated securely.
The Directorate uses a range of different systems and processes with data gathered from many different sources and organisations. However, the planned outcomes of handling the data are similar and processes are in place to improve the consistency of data management.
Project Manager Shila Parbhoo, said ‘The idea was to centralise the handling of information to make it more secure and better structured in a common way.’ Plus, it would be advantageous to capture good practices that were already in place. ISO27001 was identified by the management team as the right way forward.
Amid an intense tender process, IT Governance was deemed best placed to assist the Directorate in achieving that goal.
IT Governance began by working with the Directorate to develop a project plan, including how to approach the Information Security Management System (ISMS).
‘We wanted to make sure that the procedures equated to practical guidance… They had to be practical for us and relevant to the user base,’ said Shila Parbhoo.
Steve Watkins, IT Governance’s Director of Training and Consultancy, added, ‘Not only did we align the objectives and risk assessment with the Directorate’s values and culture, we made sure the ISMS was designed to ensure the Directorate is well positioned to adopt the continually evolving public sector security requirements quickly and effortlessly.’
One of the more demanding challenges was engaging the user community itself – convincing them that the stages were necessary and had to be done in a certain way for all parts of the business. ‘But,’ as Shila Parbhoo observed, ‘that is true of any change management project. We were challenged in a positive way.’
Click here to read more »
Another was assembling the asset register. Because of the nature of the Directorate’s work, the size and complexity of the assets were quite unusual.
‘We used IT Governance’s expertise in considering all our options,’ said Shila Parbhoo. ‘It was an open dialogue – we worked out a cost effective method and presented these options to management.’
IT Governance lead consultant, Paul Cartwright, devised a matrix and new asset register reflecting a new grouping of assets and a User Community Security Champion Forum was created. The latter took on much of the challenge of getting the risk assessment progressed, and had a number of additional benefits when it was time to implement the required security controls later in the project. Drawn from all parts of the business, the asset list was delivered by representatives of the user community, the data handlers themselves. A risk assessment was then carried out by the Paul Cartwright and Shila Parbhoo which formed the spine of the ISMS.
Training was fundamental to the project’s success. Shila Parbhoo had attended the IT Governance ISO 27001 Implementation Masterclass and reckons that she would not have been able to undertake the project without that knowledge. ‘It helped me to make well-informed decisions and was a good foundation.’
Paul Cartwright co-ordinated the security awareness training for all Directorate staff throughout the project, with a final push before certification run by a second senior IT Governance consultant. By then, the user community was much more vested in the project and the sessions were well attended and received. The earlier appointed Security Champions not only helped to gauge the success of the security awareness and training, but also enabled the data handlers to more effectively communicate the importance of information security to the wider business.
Internal audits were then conducted by a third IT Governance consultant to prepare the Directorate for their certification audit. These audits sampled the Directorate’s information security arrangements, identified what areas needed to be addressed and advised on how to close them. Once the remediation work was done, it was time to get the certification auditors in.
A UKAS-accredited Certification Body, in this case LRQA, was engaged to conduct the Directorate’s certification audit which consisted of two stages: the first of which focused on the documentation. Stage 1, unfortunately, did not go as smoothly as it might have. However, there was enough good news to warrant moving forward to the second stage of the audit.
IT Governance and the Directorate agreed that it would be to the Directorate’s benefit if one of IT Governance’s consultants was on hand during the Stage 2 audit. This stage looked at, among other things, practices on site and the evidence created to demonstrate that the Directorate was practicing what it had committed to. Paul Cartwright assisted Shila Parbhoo throughout the audit, answering questions and challenging the auditor where appropriate.
Support during Stage 2 was excellent,’ said Shila Parbhoo. ‘I could not have had the confidence to conduct it without [IT Governance]. If you have a two- or three-day audit, it is well worth getting the expertise, particularly if there is only one person managing the project.’
The Directorate was recommended for ISO27001 certification in July 2010. Paul Cartwright was proud of their achievement, ‘The Directorate had a great culture already embedded which really shone through during the certification process – staff took great pride and ownership in their work. More often than not, this is half the battle with an information security project of this nature – long may it continue.’
Now that they are certified, what is next for the Directorate? ‘At this stage, the ISMS is still relatively embryonic, we are still in the early stages of implementation given the changes to the security environment in which we operate,’ said Shila Parbhoo. ‘But I am optimistic that it will mature into something that supports the Directorate in delivering its business objectives and is what the user community is looking for.’
When asked what advice she would give to any organisation embarking on this project, Shila Parbhoo replied, ‘Get management commitment early on – your job will be ten times harder without it. Part of the job is done when you haven’t got to convince them. Also, it’s good to have expertise by your side to draw on.’
The biggest challenge was resourcing. ‘We underestimated the commitment we had to give to the project,’ said Shila Parbhoo. ‘But this had more to do with experience rather than ignorance.’ When asked what she would do differently, she said, ‘I’d have ten people working on it all the time!’
From a lead consultant’s perspective, Paul Cartwright said ‘It would help to keep all the key contributors (Security Champions) involved all the way through the project. Further, encouraging adopters to be ruthless, and to group their assets into as few groups as reasonably possible, also reduces the burden during the risk assessment phase.’
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped the Directorate achieve ISO27001 compliance on time and within budget so we can help you. Call us now on 0845 070 1750.