Background

The Planning Inspectorate is an executive agency of the Department for Communities and Local Government and is responsible for the processing of planning and enforcement appeals, and public examination of local development plans. It also deals with a wide range of other planning related work including listed building consent appeals, advertisement appeals and reporting on planning applications called in for decision by the Department for Communities and Local Government or The Welsh Assembly Government.

Other casework includes various compulsory purchase orders, rights of way cases and cases arising from the Environmental Protection and Water Acts and the Transport and Works, Act and other Highways Legislation.

For further information about the work of The Planning Inspectorate visit: www.planning-inspectorate.gov.uk

First | Previous | Next | Last

Implementing the System

The Inspectorate first started looking at implementing a formal information security management system (ISMS) nearly 3 years ago following a reorganisation. While there had been processes and procedures in place for many years covering the IT security support to the business, it was felt appropriate to review these in the wake of a stronger line from central government requiring all government departments to be compliant with ISO 27001.

Ian Elliott was brought in from another part of the organisation to head up the new team responsible for protection of IT assets and data with parts of HR, Physical Security and Purchasing, covering around 70 people. The new team was to include a Configuration Manager, IT Security Officer and a Data Manager Officer.

“On first inspection, we thought our existing processes were robust enough and it would simply be a case of spending time with our consultant in going through the documentation, rewriting where necessary and really just tightening up on certain aspects. However, looking at it with a critical eye we could see that what we said we were doing on paper wasn’t always the case in reality,” explains Ian Elliott, Project Manager. “We have always needed to comply with internal Government procedures so we knew the systems were adequate but we were lacking documentation and rigour in some areas.”

First | Previous | Next | Last

Assessing the risk

“Our assessor advised that the acceptance of the risks were too low and suggested that the asset owners needed to accept the risk rather than the project team. This was about putting the onus back onto them to accept ownership.”

Ian Elliott, Project Manager, The Planning Inspectorate.

One of the areas which the team has spent time on improving has been risk assessment. The approach taken has undergone marked change over the last three years and while initially disjointed has matured beyond the simple setting up of spreadsheets. While there had always been a risk assessment process in place, it was recognised there was a need to strengthen it. Initially, the team had a number of different types of spreadsheets but in assessing the risk it was realised that this wasn’t sufficient. Instead, the team established a system of face to face interviews with staff to look at what was being recorded on paper actually happened in reality. While a lengthy and time consuming process, this exercise was invaluable helping to iron out ‘home made’ processes.

There were also issues around the capture of risks and how these fed back into the process. And it was here that the team received valuable guidance from their LRQA assessor, John Slape. “Our assessor was able to give us pointers in making sure the results were recorded in a more usable way. He advised that the acceptance of the risks were too low and suggested that the asset owners needed to accept the risk rather than the project team. This was about putting the onus back onto them to accept ownership,” explains Ian.

“Security is everybody’s issue. That is clearly understood by our people but it hasn’t always been that way. When we began reviewing the ISMS we felt information security was seen as a bit of a nuisance. The systems had always been adequate and we had not suffered any serious loss of data. Now they report losses however insignificant, together with suspect or phishing emails. They do this because they are aware we keep records and a log of events which gets reported on a regular basis to senior management. In short, people are more aware of what could happen - the security culture has changed.”

First | Previous | Next | Last

Certification: Working with LRQA

“How can you prove that you are compliant to ISO 27001 without getting externally audited? We decided from the outset to go for certification.”

Ian Elliott, Project Manager, The Planning Inspectorate.

External certification had always been the preferred goal from day one and a decision was taken early on in the process to go out to tender to third party certifiers. The tendering process provided a shortlist of two including LRQA. During the interview stage it became clear that the approach and process used by LRQA was in keeping with the requirements of the Inspectorate.

“We felt LRQA’s approach would be more beneficial. We felt comfortable that during the audit process we would be given direction and support and while still down to us to do the work we would have the guidance to get where we wanted,” comments Ian.

“We weren’t sure what to expect from our first assessment. We thought that our processes worked well and it came as something of an eye-opener when our assessor came in and started to look closely at what we did and why. We had a number of non-conformities which prompted us to re-examine key areas such as risk assessment and business continuity which in turn drove improvement.

“In particular our assessor was able to give guidance in recording the extra controls that were put in place, such as internal audits, and then placing this into the Statement of Applicability so it cross references. This turned what had been disjointed into one joined up process that has grown and matured with the business.”

“Having an assessor with the breadth and range of experience and skills that our LRQA assessor is able to bring to the table has been invaluable. The assessment process has been a useful process and importantly, it keeps us on track,” Ian concludes.

First | Previous | Next | Last

Learning points

The IT Support team offer an insight into their experiences and provide some useful advice for others considering implementing a certified ISMS.

• Consider certification and do not be worried about failing. If you receive a number of non-conformities from your external assessor treat these as learning experiences and an opportunity to improve on what you have.

• Talk to your people! Find out what they are doing and why they are doing it. During our audits, we found some ‘home made’ processes that needed to be brought into the system. Let your people know what you expect of them which is an important element of staff taking ownership. Encourage them to report losses or suspect internet emails, however insignificant, it will help build a picture.

• Make sure that all new employees get an introduction to basic information security processes during their induction period. Let them know right from day one that it is important to ask questions if they’re unsure about certain aspects of security. Our aim from day one of their employment is to encourage them to ‘think security’ at all times.

• Use your Intranet to update your people on what is happening and things that you find out about. Our people when logging on are given regular updates that they need to ‘sign off’ to say they’ve read, similar to online banking processes. This is recorded and shows that people have read (and hopefully understood) the implications.

• Build a relationship with your external assessor and use them as a sounding board for any queries you might have. Listen to what they have to say but don’t be nervous of asking questions and challenging opinions. Engage with them and use their visits as an opportunity to learn. 

• Stay focused. We have had a challenging time in implementing a system and in getting certified. It is a dynamic process and as the business needs change so does the need to adapt the system. Continue with the continual improvement cycle and remain committed.  We know that in the long term having a certified ISMS will save time, and enable us to be more efficient and effective.

First | Previous | Next | Last