This article was first published in the September 2011 Ireland edition of Accounting and Business magazine
McNally Business Services Ltd (MBSL) is a chartered accountancy and business services firm which provides a range of outsourced services. A staff of 12 includes an IT manager who administers all the company’s IT systems and software. MBSL has operated in a paperless environment since 2008 and all members of staff have at least two monitors on their desk.
Recognising the need give its clients additional assurance as to the controls in place safeguarding their information, the company set upon the task of ascertaining an internationally recognised standard, namely ISO27001 – Information Security Management Systems.
An information security management system (ISMS) is that part of the overall management system, based on a business-risk approach, that is designed to establish, implement, operate, monitor, review, maintain and improve information security. The management system takes account of organisational structure, planning activities, responsibilities, practices, procedures, processes and resources.
No other accountancy firm in Ireland had been awarded this certification, so the company began by mapping out the main stages of the project that it would need to follow to reach its goal, the main ones being:
- Initial training;
- Setting scope;
- Critical path;
- Gap analysis;
- Risk assessment report and treatment plan;
- Policies and procedures documentation;
- Statement of applicability; and,
- Certification audit.
ISO27001 – Information Security Management Systems is an information standard applying to all forms of information. Given the company’s heavy reliance on IT, it was obvious that it would need an internal project team with a high level of IT knowledge to achieve its goal. An ISMS steering committee was formed to run the project that consisted of the company’s IT manager and a director. This mix ensured the correct level of knowledge and the skill base to implement the project. The addition of the director also demonstrated the support at board level.
The ISMS steering committee attended a two-day training session with Certification Europe that enabled it to compile a critical path for the achievement of the certification. The training session also gave the project team a valuable insight into exactly what was involved and the amount of work required to achieve its goal.
The ISO27001 standard is often implemented for a part of an organisation, e.g., the IT department or software development department. However, MBSL was determined to be more ambitious. It considered whether it could apply the standard to the whole organisation and everything it did. This approach was seen as a way of giving maximum assurance to clients. In defining its scope, it settled on the following: the company is committed to protecting its information and that of its clients. To achieve this goal, the company has implemented an information security management system in accordance with ISO 27001: 2005. The company’s information security management system is applicable to all operations of the business carried out at its head office including the following:
- Outsourcing accounting services;
- Taxation and company secretarial compliance services;
- Tax planning and wealth management services;
- Consulting services; and,
- Internal information technology systems and networks.
The company estimated that it would take approximately 18 months to achieve certification and saw there were two large parts to the project: the certification project itself and also a project to document all of the organisation’s policies and procedures.
Like every other accountancy firm of its size, it had a myriad of policies and procedures but not all of them were formally documented.
Before proceeding further, it needed to know exactly how its existing controls, policies and procedures measured up the standard. Certification Europe performed a gap analysis and pointed the company in the direction it needed to go and the company modified its plan accordingly.
Report and treatment
A key part of any ISO27001 implementation is the risk assessment report and risk treatment plan. The company assessed a lot of the products available on the market to help with this and other aspects of the implementation but found that they did not suit its model. It initially identified and categorised all its information assets and general assets and then formulated a risk methodology that could be applied to each vulnerability, threat and risk on a consistent basis.
This determined, it built its key ISMS spreadsheet using Microsoft Excel. Each information asset that it had identified was logged in the spreadsheet and a risk assessment was carried out considering vulnerabilities, threats, the likelihood of it arising and how each risk should be treated.
This took a number of attempts to get right but, once it was fine tuned, it offered a robust model to consider risks without difficulty and to update easily.
Once the board signed off on the risk treatment plan and also accepted the residual risk, implementing the risk treatment plan brought a raft of additional controls into the organisation.
Statement of applicability
ISO27001 requires a statement of applicability to be prepared that details whether each of the ISO controls has been applied, or not applied, to the information security management system. It was necessary to show, by example, how each control had been applied in the ISMS. There are 133 controls noted in the standard and the company found that 131 of these were applicable to MBSL.
The task of completing the statement of applicability was not too troublesome, having reviewed and developed additional controls during the work performed to date. It also acted as a control check on the work already completed and ensured all aspects and requirements of the standard had been considered.
Policies and procedures
The ISMS process drove the company to formalise the following documentation:
- Office policies and procedures;
- IT policies; and,
- IT procedures.
The office policies and procedures is a large comprehensive document which includes sections on:
- Personnel policies and procedures;
- Company financial policies and procedures;
- Client policies and procedures;
- General office policies and procedures; and,
- Information security management systems.
Considerable administration time was invested into the creation of a document that addresses all aspects of the organisation. The IT department prepared documents on IT policies and IT procedures that gave a formal structure to their method of operation and now allows the company’s IT function to be policy driven. The documents give a visibility to the internal workings of the IT department they did not enjoy before.
ISO 27001 also forces an organisation to consider and test their business continuity plan, assessing how dependent they are on various aspects of the business and what would happen if any of those were removed from the equation.
The independent audit against ISO27001 took three days to complete. The first part took one day and dealt with ISMS controls, policies and procedures. The second part took place four weeks later and focused on testing the ISMS controls.
The company was granted certification on 27 January 2010. The certification is valid for three years and the company is independently audited against the standard every six months.
The project took 13 months to deliver, five months less than planned, with the commitment of the project team, matched by the commitment of everyone in the organisation. The company now offers an ISO27001 ISMS Consultancy Service to help other accountancy, professional services and legal firms achieve certification.
Karl Houghton FCCA is a director of MBSL. Email firstname.lastname@example.org
KEY POINTS LEARNED ALONG THE WAY:
- Know where you are before you start and what the gap is that needs to be overcome;
- ISO27001 requires additional formal documentation such as office and IT policies and procedures;
- Buy in from staff must be top down;
- The process can be accelerated if you know the requirements and have access to relevant templates;
- The system is ever-evolving and must be updated regularly;
- Develop a risk methodology that can be applied consistently;Develop an information classification policy that suits your organisation;
- When it comes to information security, recognise that the more you know, the more you don’t know. Controls, policies and procedures are likely to be completely overhauled in the journey.