BUSINESS STANDARDS
is the quarterly magazine of BSI Group, highlighting the vital role that standards play in today's business environment. Regular features include interviews with leading business figures, as well as news on the latest developments in management systems and standards.

Business Standards > Articles

Securing your assets

28 Feb 2008
Topics: Information security, ISO/IEC 27001

Gemserv, a consultancy that advises on, defines and implements regulatory structures and governance frameworks for liberalising energy markets, recently achieved certification from BSI to ISO/IEC 27001 Information Security Management System (ISMS).

Gemserv routinely handles sensitive commercial and economic data on behalf of its public and private sector clients, which include several sector regulators in the UK and Ireland, the Carbon Trust and the Institution of Mechanical Engineers. The company identified ISO/IEC 27001 as a natural way to best serve its clients and enhance its reputation. By achieving ISO/IEC 27001 compliance and certification, Gemserv would demonstrate that it is "a safe pair of hands" for data security and business continuity, and also underline its commitment to best practice in all of its work.

"We saw ISO/IEC 27001 as a way to prove to ourselves that our information assets are secure," says Gemserv CEO Nigel Bromley. "It is also going to be an important tool to help us win more business. Certification will increasingly become a prerequisite for tenders, and we wanted to steal a march on our competitors."

Going through the process

According to project manager Dinesh Sharma, who works in the company's Assurance Team, "ISO/IEC 27001 reaches right through the organization and involves people in every department, so it is essential to be able to keep parallel and interlocking tasks constantly in your sights."

"Senior-level support is absolutely crucial", says Sharma. "ISO/IEC 27001 entails fundamental and long-term changes to how everyone works, so it is vital that all staff see the importance attached to it by top management. If people thought it was optional it would be difficult to deliver compliance with the standard. Throughout the project, I've had the full backing of Gemserv's senior management, as well as a very hard working and enthusiastic project team."

Gemserv decided early on that it wanted to run the project internally, rather than handing the task over to hired guns. However, to ensure that the company was working along the right lines, Gemserv approached BSI Management Systems.

As an accredited Certification Body, BSI is unable to provide any form of consultancy service. Whilst BSI must remain totally impartial, BSI is often asked for such recommendations. It therefore created the Associate Consultant Programme (ACP), compiling a list of consultancies that are known to BSI. This is not intended as an endorsement of any one consultant's services, but all ACP members have demonstrated their experience with respect to certified management systems.

Through the ACP, Gemserv selected and brought on board ISO/IEC 27001 consultants IT Governance Limited to act as project coach.

Together, Gemserv and IT Governance agreed a five-stage project roadmap with regular checkpoints, when the consultants would visit the company to sample its work and offer any suggestions. In addition, IT Governance provided specialist training at the outset to equip Sharma and his team with the necessary knowledge and skills.

The project team included a representative of each company department. As well as helping to implement the programme, the members served as ISO/IEC 27001 champions by explaining the benefits of compliance to their immediate colleagues.

"The project team is most actively involved in the risk assessment phase, but we felt it important to give them an overview of the entire task and keep them closely informed throughout," says Sharma.

He adds, "Getting certified might look like the end game, but it's actually only the start. Once you have got your ISMS in place, you need to make it part of the company's culture - it requires on-going maintenance and attention."

Words of advice

For any organizations contemplating ISO/IEC 27001, Sharma has the following recommendations.

"It is essential that your team is properly trained. Part of my role has been one-on-one risk assessment training with each team member, helping them to build on their understanding and gain confidence," says Sharma. "You can't just send your team back to their desks and expect them to get on with it. If you think that sounds time-consuming, it would have been far worse to find out after three months that our entire risk assessment was flawed because of some basic misunderstandings."

Sharma advises companies not to underestimate the time required for risk assessment: "This was the one area where we had to extend our deadline. Risk assessments are very involved and, although I thought we had been generous on timing, it turned out that we had underestimated by about a third."

For more information on ISO/IEC 27001 certification:www.bsigroup.com/isms

For more information on ACP:www.bsi-uk.com/ACP

Business Standards © 2008. Editorial produced by Caspian Publishing in association with the British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.

Question: Can standards really help minimize the need for regulation?

Regulation and legislation keep business on a level playing field and help mitigate against risk, as was acknowledged by The Hampton Review in 2005.

Read more

Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.