Workforce Metrics achieves ISO27001 certification in only three months for under £5k!
This case study shows how IT Governance helped Workforce Metrics achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.
Workforce Metrics Case Study
When Workforce Metrics was founded by Andy Shettle in 2009, the company was literally just him and his PC.
Andy knew that ISO27001 compliance was often a vital requirement – particularly when tendering for contracts awarded by local government, the NHS and the public sector – and the absence of this accreditation could have meant a lot of wasted time completing additional forms and audits in order to win business.
Workforce Metrics is a business which handles a huge amount of sensitive data, such as detailed personnel records for its clients, and the reasons for such an organisation having strong information security in place in today’s ‘cyber-threatening’ environment are self-evident.
In addition to this, there are the statutory requirements of the Data Protection Act 1998, which apply to all organisations and are often cited in public sector tender documents and requests for proposals. These drivers, together with the rising cost of security breaches in terms of fines, loss of reputation and the impact on the confidence of stakeholders, means that there is a growing requirement to provide supply chain assurance through UKAS-accredited ISO27001 compliance certificates.
“My best advice to other SME’s that are seeking to comply with ISO27001? Don’t agonise over how to do it or how long it will take. Call in IT Governance and let the experts show you how to achieve the best result. This will save you time and money, and ensure the desired outcome: ISO27001 certification.”
Andy Shettle, Managing Director
When Andy Shettle, managing director of Workforce Metrics, planned for growth in his start-up software business, he was thinking big. His client base consisted mostly of public sector organisations with over 750 employees on average. These organisations have mature HR departments that are required by law to manage policy compliance. Therefore, Andy already understood the growing need to demonstrate compliance when he started his software enterprise based in Redhill, Surrey.
Established in 2009, Workforce Metrics is a specialist provider of employee relations (ER) software to human resource professionals and HR departments. ‘ER Tracker’ is designed to drive inefficiencies out of managing ER cases where people-orientated processes are involved. The company’s software can be deployed either on premises or in the cloud, and provides visibility of information on dashboards.
With coaching and mentoring support from IT Governance, one of the most experienced ISO27001 consultancy practices in the world today, Andy has been able to demonstrate conclusively that SME businesses with between one and ten employees can adopt ISO 27001 information security certification without restrictive paperwork.
The main drivers for gaining ISO27001 certification were:
Differentiation: Workforce Metrics would gain an advantage over its competitors, both by having certification and by publicising this fact;
Compliance with the requirements of an ever-growing number of government and public sector prospective clients looking to make efficiency savings around their employee relations caseload.
To quote Andy:
“Workforce Metrics came into existence to fulfil the growing compliance needs of HR departments that were struggling to implement new legislative requirements. As a business, we knew that the problem of handling these changes effectively was down to metrics: policy compliance meant having better data in the system. This is particularly important for the requirements of workforce monitoring as required under the UK Equality Act: Public Sector Equality Duty.
Click here to read more »
“Policy compliance is a legal requirement for HR departments in the public sector and that means processing and protecting a lot of highly-sensitive and personally-identifiable data. For example, this could be information on disciplinaries and grievances, which can be reported against a person’s cultural background and sexual orientation or gender, to see if the organisation is treating all employees equally.
“The requirement from our clients is to be secure and by planning and implementing an ISO27001-compliant information security management system (ISMS) we are able to offer complete confidence. With cloud deployments increasing, prospective clients of Workforce Metrics are seeking further assurances around IG and ISO27001 is an internationally recognised standard, so it was vital that we had it.
“While Workforce Metrics was acutely aware of the IG ISO27001 standard, we were keen to be led by the experts and so sought the help of IT Governance. Having researched them extensively, I felt very comfortable with their knowledge about ISO27001 when I spoke to an account manager initially on the phone. This was later confirmed by the expert attention that we received from our dedicated IT Governance consultant.”
Andy was impressed with the project support that he received from IT Governance: “When I first met Steve [Watkins], I was unaware that he had written several books on ISO27001. It was only later that I realised why the advice that I had been given was so authoritative: Steve is surely one of the most experienced consultants in this field.
“I had heard many stories from clients about how many years it could take and the cost involved in achieving ISO27001 certification, and there’s no doubt that some organisations could struggle, should they be offered poor quality advice. We, on the other hand, achieved our goal in four months by hiring IT Governance’s Mentor & Coach support service!
“We focused on using Steve’s considerable skills to transfer to us the knowledge that we needed to allow Workforce Metrics to run its ISMS going forward. This ensured that we were able to speedily put in place the implementation and ongoing management was as painless as possible. Based on the Mentor & Coach support described in their detailed proposal, the consultancy work estimated was an appropriate level of investment for Workforce Metrics. Enough for us to obtain the assistance that we required to embed an ISMS compliant to ISO 27001, measured in days rather than weeks or months of hire cost.
Click here to read more »
“It was a no-brainer to hire IT Governance to transfer the knowledge that we needed to maintain our own ISMS. For us, this was cheaper and easier than leaving the whole process to the consultants as some organisations do. However, I can see why managers with little or no experience of standards compliance would opt for the ISO27001 FastTrack™ option that IT Governance offers microbusinesses (19 or fewer employees), whereby the responsibility for setting up the ISMS is outsourced to IT Governance consultants. Likewise, I understand why a Managed Service option, to maintain this going forward, would be attractive to smaller enterprises. However, in Workforce Metrics’ particular situation, with our team’s highly-developed understanding of compliance requirements for workforce legislation and international standards, it made sense to develop the skillset to manage ISO27001 compliance internally.”
As part of the support, IT Governance trained Andy on a public ISMS Lead Auditor course. Andy says: “I wanted to take the IT Governance Lead Auditor course to understand the mind-set of a qualified ISO27001 auditor. The training was interactive and gave me an excellent insight into the processes involved. I would recommend the IT Governance approach as you are trained by practicing information security consultants who know what you need to do to comply with the requirements of the standard.
“My experience of IT Governance was of an organisation that is easy to work with and which can achieve results fast through their intensive training style and the invaluable experience of their consultants. When the certification body assessor from The Audit People arrived for the Stage One audit, I think that he was surprised that most of what was needed was already in place. For example, we had our policies, procedures and controls for file encryption and protection of personally-identifiable confidential client data already in-place. Our ISMS was also clearly, but succinctly, documented.
“Our consultant made sure that what we had in the ISMS was right for our situation: enough to ensure that we complied, but not overkill for a small firm. So many smaller organisations spend too long carrying out risk assessments and creating unnecessary documentation that they imagine (or are told) is a requirement of putting the ISMS together. The object though is an ISO27001-compliant information security management system, and that can be achieved in a way that works for small businesses as well as larger companies. We received only two recommendations for improvement during Stage 1, and by the Stage 2 external Audit, our ISO27001 ISMS passed first time with one minor non-conformance recorded that was easily addressed.”
Thanks to coaching and mentoring support from IT Governance, Workforce Metrics passed their Second Stage audit conducted by The Audit People, a UKAS-accredited certification body. As a result, they were issued an ISO27001 certificate in November 2013, less than four months after Andy engaged IT Governance.
In Andy’s words: “IT Governance helped us to pull the whole thing together in much less time than we were led by some sources to believe. I would recommend that if you want the result of UKAS-accredited certification in a timely manner, you should consult IT Governance first! By taking this route, we have gained valuable status in our dealings with existing and prospective clients, and I am confident that certification will help us to gain business by providing the appropriate level of assurance.
“My best advice to other small businesses that are seeking to comply with ISO 27001? Don’t agonise over how to do it or how long it will take… call in IT Governance and let the ISO27001 experts show you how to achieve the best result. This will save you time and money, and ensure the desired outcome: ISO27001 accredited certification.”
Click here to read more »
Elaine Hanaghan, Director of UKAS-accredited certification body The Audit People said: “It is important that every size of organisation, large or small, endeavours to take Information Security seriously especially with technology and regulatory requirements changing more frequently than we care to imagine. It doesn’t have to be difficult to comply with ISO/IEC 27001: in fact most organisations find that they have already identified their information security risks and have the majority of controls in place to manage the information security requirements in relation to their own activities or processes. In terms of auditing, Workforce Metrics was able to prove that it has a robust and effective information security management system in place and it took less than one month between the first and second stage audits to become fully certified!”
Steve Watkins of IT Governance adds “It has been reassuring to know that the test of applying years of experience implementing ISO27001 compliant information security management systems into the smallest of businesses – in a manner that really works for these companies - has met with resounding success. Workforce Metrics now has a light-touch, systematic approach to managing information security that serves its business well and delivers the assurance that was required – accredited certification to ISO27001.”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped Workforce Metrics to achieve ISO27001 compliance on time and within budget, we can help you. Call us now on 0845 070 1750.