is the online magazine of BSI Group, highlighting the vital role that standards play in today's business environment by helping organizations improve quality, save money, reduce risk and be more sustainable. Features include interviews with leading business figures, as well as news on the latest developments in management systems, standards, testing, healthcare and certification.
Securing your assets
28 Feb 2008
Topics: Information security, ISO/IEC 27001
Gemserv, a consultancy that advises on, defines and implements regulatory structures and governance frameworks for liberalising energy markets, recently achieved certification from BSI to ISO/IEC 27001 Information Security Management System (ISMS).
Gemserv routinely handles sensitive commercial and economic data on behalf of its public and private sector clients, which include several sector regulators in the UK and Ireland, the Carbon Trust and the Institution of Mechanical Engineers. The company identified ISO/IEC 27001 as a natural way to best serve its clients and enhance its reputation. By achieving ISO/IEC 27001 compliance and certification, Gemserv would demonstrate that it is "a safe pair of hands" for data security and business continuity, and also underline its commitment to best practice in all of its work.
"We saw ISO/IEC 27001 as a way to prove to ourselves that our information assets are secure," says Gemserv CEO Nigel Bromley. "It is also going to be an important tool to help us win more business. Certification will increasingly become a prerequisite for tenders, and we wanted to steal a march on our competitors."
Going through the process
According to project manager Dinesh Sharma, who works in the company's Assurance Team, "ISO/IEC 27001 reaches right through the organization and involves people in every department, so it is essential to be able to keep parallel and interlocking tasks constantly in your sights."
"Senior-level support is absolutely crucial", says Sharma. "ISO/IEC 27001 entails fundamental and long-term changes to how everyone works, so it is vital that all staff see the importance attached to it by top management. If people thought it was optional it would be difficult to deliver compliance with the standard. Throughout the project, I've had the full backing of Gemserv's senior management, as well as a very hard working and enthusiastic project team."
Gemserv decided early on that it wanted to run the project internally, rather than handing the task over to hired guns. However, to ensure that the company was working along the right lines, Gemserv approached BSI Management Systems.
As an accredited Certification Body, BSI is unable to provide any form of consultancy service. Whilst BSI must remain totally impartial, BSI is often asked for such recommendations. It therefore created the Associate Consultant Programme (ACP), compiling a list of consultancies that are known to BSI. This is not intended as an endorsement of any one consultant's services, but all ACP members have demonstrated their experience with respect to certified management systems.
Through the ACP, Gemserv selected and brought on board ISO/IEC 27001 consultants IT Governance Limited to act as project coach.
Together, Gemserv and IT Governance agreed a five-stage project roadmap with regular checkpoints, when the consultants would visit the company to sample its work and offer any suggestions. In addition, IT Governance provided specialist training at the outset to equip Sharma and his team with the necessary knowledge and skills.
The project team included a representative of each company department. As well as helping to implement the programme, the members served as ISO/IEC 27001 champions by explaining the benefits of compliance to their immediate colleagues.
"The project team is most actively involved in the risk assessment phase, but we felt it important to give them an overview of the entire task and keep them closely informed throughout," says Sharma.
He adds, "Getting certified might look like the end game, but it's actually only the start. Once you have got your ISMS in place, you need to make it part of the company's culture - it requires on-going maintenance and attention."
Words of advice
For any organizations contemplating ISO/IEC 27001, Sharma has the following recommendations.
"It is essential that your team is properly trained. Part of my role has been one-on-one risk assessment training with each team member, helping them to build on their understanding and gain confidence," says Sharma. "You can't just send your team back to their desks and expect them to get on with it. If you think that sounds time-consuming, it would have been far worse to find out after three months that our entire risk assessment was flawed because of some basic misunderstandings."
Sharma advises companies not to underestimate the time required for risk assessment: "This was the one area where we had to extend our deadline. Risk assessments are very involved and, although I thought we had been generous on timing, it turned out that we had underestimated by about a third."
For more information on ISO/IEC 27001 certification:www.bsigroup.com/isms
For more information on ACP:www.bsi-uk.com/ACP
Business Standards © 2010. Editorial produced by Caspian Publishing in association with The British Standards Institution. Editorial opinions expressed on are not necessarily those of BSI Group or Caspian Publishing. Neither Caspian Publishing nor BSI Group accept responsibility for advertising or editorial content, nor for that appearing on linked third-party websites. Reproduction in whole or in part is forbidden without written permission from BSI Group or Caspian Publishing.
Sapphire earns a standards hat-trick
Sapphire Energy Recovery, the waste processing and resource recovery business owned by Lafarge Cement, has achieved certification to three management systems standards (ISO 9001 Quality management, ISO 14001 Environmental management and BS OHSAS 18001 Health and safety management) from BSI. Sapphire is the UK's leading processor of used tyres, and sources and manages the logistics of a range of waste-derived fuels and raw materials for the cement industry.
Until now, there has been no strict guidance in the UK relating to how audiovisual (AV) installations are carried out. This includes everything from computers and projectors to interactive whiteboards, plasma screens and loud speakers. For AV installation companies, processes can vary significantly.
Rising waters: revising PAS 1188
For those living in areas that are prone to flooding, having the right protection resources available is essential. While images of emergency sandbags holding back rivers of water may fill the media, there is a much wider range of products available for flood protection.
Integra ICT Hits environmental high
Integra ICT, the Bedfordshire-based telecoms provider, has achieved certification to ISO 14001 Environmental management from BSI.
Airbus in the UK has achieved certification to BS 25999, the Business Continuity Management (BCM) standard, following an audit from BSI. The certification covers Airbus? wing manufacturing site in Broughton, North Wales and becomes the first aerospace manufacturing company to receive certification to this standard by BSI.
Question: Given the state of the environment, should issues like energy management in business be more regulated and closely monitored instead of voluntary?
Climate change is such an urgent issue that some might argue the only answer to this question is "Yes". However, creating laws that achieve their goals in precisely the right way is challenging and time consuming at the best of times. And when it comes to climate change, the factors involved are varied - too many for any one law or set of laws to cover adequately.
Have a standards-related question for BSI or a comment on the website? We'll find the right person to answer.
