The Nesco Group
|
1. Introduction 2. Benefits of an ISMS 3. Why BS7799? 4. Certification with LRQA 5. About The Nesco Group |
Case Study: The Nesco Group
“Certification to BS7799 has demonstrated that the Nesco Group is a secure organisation with which to do business. Achieving BS7799 is clear demonstration of our commitment to providing the very highest levels of information security.”
Tina Holt
Operations Director and Director of Security
Nesco Group
As an IT recruitment and training organisation, the Nesco Group was experienced in handling sensitive and confidential information. As the business continued to grow and the volume and sensitivity of both internally and externally generated information increased, so did the need for the Group to demonstrate a commitment to information security to its customers and prospects alike.
In recognition of the key role that information security would play in the realisation of its longer term business goals, the company took the decision to implement an information security management system (ISMS) and have this certified by LRQA to BS7799 part 2 – the first IT recruitment and training company in the UK believed to have taken this step.
The Cabinet Office requires UK Government Departments to have developed an ISMS and to have demonstrated compliance with BS7799-2:2002 for all their nominated key systems by the end of 2004. Private sector clients too are increasingly adopting BS7799 as a key differentiator and business critical marque. In turn, they are seeking supply chain partners who can also demonstrate the same level of commitment to information security.
Benefits of an ISMS
- As a significant supplier of services to the public sector, the Nesco Group identified BS7799 as a key differentiator within this increasingly important market sector. The Nesco Group knew that by being one of the first IT recruitment and training companies to implement an ISMS, certified to BS7799, this would publicly reaffirm its commitment to data security and provide its customers with the confidence to know that industry best practice was being rigorously followed.
- Commitment to the standard has already helped the company win business with a range of local and central government clients in addition to several larger corporate clients within the private sector. Customers appreciated the assurance of Nesco's regular six monthly external audits by an independent, accredited third party certification body.
- It is vital that the company's recruitment and training activities are protected from security breaches or interruption. It was primarily for this reason that the company chose to achieve BS7799. The ISMS ensures that any risk to the Group's internal systems and the data they carry are controlled and the chances of a security breach or interruption are minimised.
- The ISMS features a strict security policy, supported by regular security forums and audits. The regime covers the physical security of all premises and IT assets, provides for back-up systems and a disaster recovery plan and includes ongoing security training for all employees.
Why BS7799?
“Our recruitment and training customers trust us with their confidential information. Achieving BS7799 enabled us to reassure them that their trust was well placed.”
Brian Wilshaw
Senior Business Development Manager
Nesco Group
“As more and more of our recruitment and training services become electronically-driven, the secure handling of data becomes more relevant and business critical. Electronic invoicing and timesheets, remote web-based recruitment, one to one mentoring and the facility to book accredited training courses online have presented our business with sound growth opportunities going forward,” comments Steve Bowyer, Managing Director of the Nesco Group.
“However, this also means a higher degree of risk. We face a real challenge to ensure that the environment in which we operate is as secure and trustworthy as possible.”
The Nesco Group’s core business remains focused on the supply of pre-vetted IT contractors and consultants, delivery of accredited training, project management and project assurance for third party development projects; in addition to supported consultancy and mentoring. In 2002, the company became an S-Cat prime contractor, supplying services to central government departments in addition to having ‘preferred supplier’ status to a range of private sector clients, including Centrica, Siemens Business Services, NTL and Co-operative Financial Services.
With such a high profile customer base, it was vital that the company was able to clearly demonstrate its commitment in securing its sensitive information. In the summer of 2003, Nesco took the first step in its journey by deciding to undertake a gap analysis. This gave a clear indication of the benefits to the company that certification to BS7799 could bring.
Full main board support from parent organisation NES quickly followed and Red Island Consulting Ltd., was appointed to provide the advice and guidance that would be needed over the forthcoming months. Tina Holt, a director of the Nesco Group was tasked with implementing the formal ISMS and seeking certification to the BS7799 standard.
The Nesco Group had already established a series of internal policies, covering computer and Internet usage, company-wide security and e-mail policies. These were adapted to create one of the cornerstones of the new ISMS.
From the start of the process, employees were encouraged to challenge and question even the most basic assumptions concerning data and system security. To Tina and the rest of the Nesco Group board, BS7799 went much further than simply ensuring that data was handled in a secure way. Nesco's information security team looked at every aspect of the business, from the signing-in of visitors; to the regularity of system backups; and from the security of the Group's server rooms to security awareness training for all new employees.
Each member of staff has been given training appropriate to their role and every new starter is subject to a detailed security induction with six monthly updates provided, via half-day seminars, to all staff.
A guide to BS7799 was posted on the Group's Intranet, including the Nesco Group’s Information Security Policy, minutes from the Security Forum meetings, the Disaster Recovery plan and the Information Security Manual. To ensure that the policies were appropriate to their Users, the Nesco Group’s information security team ensured that the terminology used was appropriate and that policies were meaningful, based on individual assessment of the information held and the risk involved. In this way, the team ensured that business units and individuals within the Group gained ownership of the ISMS and were able and willing to champion the cause.
Certification with LRQA
“We believe that certification will help us secure existing work and also win new business, by demonstrating to our customers how important we consider information security.”
Steve Bowyer
Managing Director of the Nesco Group
The first step in preparing for certification was to select a consultancy who understood the issues surrounding a business like the Nesco Group and who had the ability to help add real and tangible value to the existing system.
Specialist BS7799 consultancy, Red Island Consulting Ltd., was selected primarily due to its no-nonsense approach to risk management and the likely impact of security breaches. Red Island worked closely with Tina Holt and her team to develop the systems and documentation needed to support a secure and robust ISMS.
Lloyd’s Register Quality Assurance (LRQA) was selected as the external assessment body and undertook the first stage assessment visit in August 2004, examining the policies, risk assessment and documented ISMS.
“The initial assessment was a valuable and positive exercise for us and while the outcome was extremely good overall, there were one or two areas that the assessor highlighted to us where we needed to focus our efforts and resource before the second visit, primarily in conducting more internal audits. We were able to do this in the time between first and second visit in September,” explains Tina.
“We found our assessor very knowledgeable with a good understanding of the needs of our business and how the ISMS fitted in. He earned the respect and admiration of our staff for his professional yet down-to-earth approach.”
“The cumulative impact of the assessment visits has been to make all employees far more aware of where the risks lie within the company, more vigilant in reporting of minor incidents and, ultimately, more supportive of our company vision for data security,” she concludes.
About The Nesco Group
The Nesco Group is the IT arm of NES, a £130m multi-disciplined recruitment services company.
Formed in 1981, the Nesco Group specialises in the provision of pre vetted contract and permanent IT resources, in support of a wide range of business and technical disciplines. This year, its training services arm, Aim Academy, will train over 3,000 delegates to ITIL, Prince2 and MSP accreditation standard. At the time of writing, the Nesco Group is the only IT recruitment and training company in the UK to have achieved BS7799 certification with LRQA.
About Red Island Consulting
Red Island Consulting is one of the UK's leading BS7799 consultancies. Red Island is part of Panacea Services, a major UK IT services provider. Red Island has taken a number of organisations to certification and/or compliance, including central, local and non departmental government bodies, blue chips, ISP's, Telco's, financial institutions and NHS Trusts.
Lloyd's Register Quality Assurance • A member of the Lloyd's Register Group
