ISO 27001 Case Study: Imprima

Background

“ISO 27001 is a pragmatic risk management based solution. It has generated a change of culture within our organisation.”

Paul Lyrick, Imprima

When financial communications company, Imprima needed to assure its key clients that it had the appropriate controls over the use and availability of sensitive information, it turned to the international standard, ISO 27001.

Imprima had over the last few years evolved from more of a traditional financial printing company producing financial documents (eg Offer docs, Prospectuses and Placings), as well as Annual Reports for PLC’s, into providing a broader range of online services. The change had begun in 2005 with the launch of a website to store confidential documents for its client base – in the main, the large law firms, investment banks and UK corporates.

The move was to prove so popular that iRooms, its virtual data room product took on a life of its own. With iRooms, Imprima was able to offer a system for clients to upload confidential information for selected viewing. For those involved in mergers and acquisitions the need to ensure absolute confidentiality – and accessibility at all times - to the appropriate people was crucial. Any server downtime or lapses in security would be extremely costly on a number of fronts. Added to which, clients were also beginning to ask about the arrangements Imprima had in place to safeguard against unwanted access to their information while ensuring it was constantly available to those that needed it.

While Imprima had always taken confidentiality seriously it recognised there was a need for a more structured and holistic approach to risk management. Importantly, it needed to publicly demonstrate its capability if it was to continue to grow.  

Next | Last

Implementing the system

“Every business should be doing this and when you sit down and explain the standard and what you’re looking to achieve, people understand.”

Paul Lyrick, Imprima

“Gaining approval to ISO 27001 wasn’t going to be just another IT project. Having had experience of customer relationship management, I knew from the outset this would be a change management project. It forced us to drop back to basics, to look at our existing risks,” commented Paul Lyrick, Imprima’s IT Manager. “Every business should be doing this and when you sit down and explain the standard and what you’re looking to achieve, people understand. In short it has been a governance project.”

Paul Lyrick had joined Imprima in the summer of 2007. Within his first week with the organisation he was tasked with putting in an information security management system (ISMS). The goal from the beginning was to gain external approval to demonstrate to clients and others that Imprima could be trusted with their information.

Following initial research, Paul put together a project plan, explained to his Board what was involved and was given sign-off on resource, namely budget to bring in consultants and an assistant to help with the day to day tasks.

Paul chose to work with specialist risk management and information security company, IT Governance. “I decided from the outset that we needed a comprehensive and sustainable system that covered all parts of the business and not just a badge on the wall to flash at prospective clients.

“It was clear to me even at pitch stage that the consultants at IT Governance not only cared about the standards, but were serious about the project and importantly were realistic in their approach. They didn’t start talking about short cuts or guaranteed success. They were clear about what would be involved in this size and scale of project.

“Once I had decided to use IT Governance, they came in to give an overview of the journey ahead to our senior managers. They knew their stuff and were entirely credible. They delivered what they promised and I was under no illusion that if things didn’t keep moving on my side, I would be letting them down.”

Following comprehensive implementation training for the key project members, consultancy support was targeted at key parts of the programme with help given at strategic points along the way. This was in the initial stages of setting up the wider programme with help directed at setting up the risk assessment and asset register and a second tranche of work towards the end in making sure that the controls that were introduced were appropriate.   

First | Previous | Next | Last

Changing the culture

In the two years and four months that it has taken to complete this project, the culture has changed radically at all levels throughout the organisation. Attitudes towards the need to implement a system – with such an extensive and inclusive scope - and of the standard of security itself slowly changed as the project progressed.

Paul explains. “Initially some in the business wanted to know why we weren’t adopting SAS70. I felt this was more of a data centre standard which simply didn’t have the scope of an ISO programme. In the early stages, the project did seem a little abstract however with the risk assessment came greater understanding. And through the awareness and training initiatives we had in place came an attitudinal shift. Suddenly our colleagues wanted to know when we were going to get ISO 27001.”

Tried and trusted methods of communicating and putting in place changes have been used. Choosing ‘champions’ in key positions throughout each of the five offices of the group have been useful in helping nurture and communicate change. This proved particularly useful when there were difficult changes to implement. However, the company was also successful in centralising many processes.

Although the implementation has been a long and sometimes difficult journey, Imprima has achieved certification because of the cooperation received from all quarters. The Internal Audits and other controls that were put in place such as the Security Committee and the incident reporting procedures from its risk treatment plan remain daily reminders of the system.

First | Previous | Next | Last

Certification

“It is beyond doubt that our information security management system is now a piece of infrastructure that helps run our business.”

Paul Lyrick, Imprima

Paul set about choosing his certification body as he did the consultancy. “LRQA stood out as the best choice. As an international company, we needed to partner with a certification body that was known in the regions that we operate. The Lloyd’s name is trusted and recognised on the international stage. Secondly, they were the only one of the three I had invited in who proposed a six-monthly surveillance visit. This was important to us. It allows us to keep our system on track.”

Although certification had been the goal from the outset, Paul left it fairly late on in the process to select the certification body. This in part was to make sure that the system was well established as he explains. “We wanted to make sure we got through first time without a long list of observations and as the visit drew closer we were nervous. We really didn’t know what to expect from the visit.

“As it happens we shouldn’t have worried. Maria McKellar, our assigned assessor was extremely thorough. I was particularly impressed with the way she managed to focus our people and draw the information from them that she needed. It really wasn’t like having a financial audit where someone comes in and disappears into an office. Maria came in and engaged with our people and the feedback from all offices was positive.
The practical benefits from the visits have been felt in a number of ways. For example, Maria was able to point out where we could have greater standardisation with documents. In one specific example, she was able to offer advice on pushing out the revision dates of key documents held on our intranet. We have automatically put 12 month revision dates on all documents from date of issue. This was clearly over ambitious and she suggested we push this out to 18 months where appropriate. A simple change. But one which has already saved us time.” 

While still relatively early days, the benefits from having put in the system are already being felt throughout the organisation. The company no longer needs to rely on managers’ due diligence to complete certain tasks or the self awareness of staff to carry out their duties. The ISMS has become a reference in so many ways – for sales managers who are talking to potential new clients and when responding to questionnaires.

“I would say that it’s beyond doubt that our information security management system is now a piece of infrastructure that helps run our business,” concludes Paul Lyrick, Imprima.

First | Previous | Next | Last

Learning points

Are you considering implementing a certified information security management system? In this section, Imprima’s Paul Lyrick offers valuable insight into his team’s experience of gaining ISO 27001. In addition, we also give the consultant’s viewpoint with Nick Orchiston from IT Governance Ltd offering some pointers.

Paul Lyrick, Imprima:

• Make sure you have the right support from the outset and set expectations with your Board that you need to budget properly for this
• Do not choose the DIY route unless you have experience
• Choose a good consultancy – one you feel comfortable in interviewing key people within your organisation
• Get buy in from your people
• Get trained - the more people from your organisation that can attend auditor courses the better. It is important to have a thorough grounding on the subject.
• Given my time again, I would have external people carry out the risk assessments. This would have helped focus people’s attention on what is needed from them
• Properly review the tool you intend to use for storing your information asset register and risk assessments. Try before you buy.
• Make sure that HR have their name in large print on this programme with you. ‘Disciplinary action’ is a control that will be sprayed everywhere on the risk treatment plan. It is important HR is there to help you get all managers bought into this should things head in that direction.

Nick Orchiston, IT Governance Ltd:

• Have a clear project plan that is realistic
• Allow sufficient time but not excessive time as this can lead to project slippage
• Stick to the project plan and review frequently
• As part of your planning, ensure you get the right people on board at the right time
• The kudos from using a trusted, recognised certification body means your certificate will be recognised both here and abroad
• Choose project partners that understand your organisation, your unique set of circumstances and check that they are using experienced and skilful advisers and auditors.

Imprima is a financial communications provider delivering bespoke, flexible and professional services to companies, banks, lawyers and advisors. Services include provision of virtual data rooms, collaborative workspace for professional document drafting and production of corporate reports and related financial documentation. For more information visit: www.imprima.com

IT Governance provides specialist services for IT governance, risk management, compliance and information security. Visit www.itgovernance.co.uk for a wide range of corporate and IT governance information, books, tools, training and consultancy.

First | Previous