Tribal Gains ISO 27001 Months Ahead of Schedule
This case study shows how IT Governance helped Tribal achieve ISO 27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on 00 800 48 484 484 to discuss your own ISO 27001 consultancy requirements.
Tribal case study
Tribal needed to achieve compliance to the ISO 27001 standard to support the delivery of their world-class education learning and training services. Their extensive expertise in education and technology, and collaborative partnership style has made them a trusted name, so it was important to adopt information security best practice to match this reputation. The senior managers responsible for this planned their Information Security Management System based on an appropriately detailed risk assessment with help from IT Governance Consultants.
The challenge was to apply the required controls identified in accordance with ISO 27001 best practice across several sites within a rapidly expanding and profitable enterprise, without slowing down operations. Maintaining Confidentiality, Integrity and Availability of information is part of ‘business as usual’.
Background
Tribal supports the delivery of education, learning and training services around the world. They build world-leading software, support adult learning, careers and professional development, and provide educational inspections and improvement services, both, in the UK and abroad. Tribal works in partnership with a wide range of organisations, including schools, colleges and universities, prisons and social services, government agencies and large and small employers. With 1,300 staff, their work spans five continents across the world.
Mike Annett, Technical Director Architecture and Design, Mike Fegan, Director of Projects (Services), and Kathryn Harris, Project Manager, were tasked by Tribal’s Board with achieving ISO 27001 certification. The principal motivations for the project were firstly; to gain commercial advantage for the Group by promoting compliance and secondly; to improve cybersecurity in line with ISO 27001 best practice in what was already, thanks to the confidential nature of client records they hold, a security-conscious organisation.
Requirements
Tribal’s technology products and services include market-leading software and related services to support education, training and learning. Protecting the confidentiality of the groups and individuals served by Tribal’s clients at all times – e.g. school students, apprentices, prisoners – had to be the team’s primary consideration; both to meet their moral obligations and client contractual requirements, and to avoid reputational damage that could impact on Tribal’s stakeholders.
Other considerations discussed with IT Governance consultants included increasing organisational efficiency, incorporation of IT security into Tribal’s Enterprise Risk Management (ERM) processes, and the eventual adoption of ISO 27001 throughout the Tribal Group.
Process
From the outset, the Tribal team benefited from senior management backing. In Mike Annett’s words: “The full support and approval from Tribal’s Board for the implementation of ISO 27001 was a vital first step in setting up the ISMS. As an organisation, we were certainly not novices at handling sensitive data. However, we knew that such a far-reaching project could only be achieved by starting at the top. Board-level IT governance is undeniably one of the critical components of corporate governance. Through this important information security project, Tribal as an organisation has demonstrated its capabilities.”
Mike Fegan echoed Mike Annett’s comments in saying:
“There was real value in adopting ISO 27001 in bringing the employees of Tribal together. We all saw this as a key management project. The requirements of the ISMS framework mean that team collaboration in the implementation process is an inevitable feature – but as we have found it can also be highly-productive.
“One of the benefits of working with expert consultants from IT Governance Ltd was the speed with which we were able to organise our efforts based around their in-depth knowledge of the standard. This streamlined the process in terms of time spent attending meetings and telephone conferences, and exchanging lengthy and detailed emails.
Click here to read more »
“In fact, we were able to do most of what was needed to progress towards our certification audit stage without the need for frequent communication, thanks to excellent deployment plans that IT Governance helped us to construct. Knowing precisely what we needed to do and achieve at the different stages really helped to reach the required standard. There is a great deal to work out when you embark on an ISO 27001 certification journey: finding it all out for yourself through trial and error is no substitute for the knowledge transfer process that IT Governance build into their consultancy.”
How ISO 27001 would fit with other management disciplines supported within the organisation (e.g. ISO/IEC 22301/BS 25999-compliant Business Continuity Planning) was a key consideration for the team at the project scoping phase. To quote Mike Annett, “We needed to see how ISO 27001 would fit into the big picture of Tribal’s business processes. At the same time, we knew that BCP was a part of the ISO 27001 standard. Our IT Governance consultants were able to show us how to integrate our standards approaches in an effective and timely manner – mapping the relevant policies, procedures, processes and controls. We felt that we knew where we were, and where we were going, at every stage in ISO 27001. Our IT Governance Consultants, Ralph O’Brien and Mark Benn, kept us all on track.”
On the subject of Training – Kathryn Harris valued the IT Governance Lead Implementer course: “The approach taken by IT Governance and the value of the training in terms of management systems for information security is something that I found very helpful. I especially valued the knowledge of the course leader, combined with group discussions and debates with other trainees from companies and organisations with different levels of information security knowledge. ISO 27001 is a demanding discipline and I felt that the Lead Implementer course gave me a good grounding to manage Tribal’s ISO 27001 scope extension to our Bristol office.”
All three managers both spoke of the level of buy-in and positive support from Tribal’s management teams and staff throughout the organisation during the planning and implementation the project.
“The risk assessment process for ISO 27001 fitted in particularly well with the Tribal risk management framework. We are one of the few organisations to incorporate information security risks in our overall risk assessment strategy. This means that our risk assessments are much more inclusive than those of some companies at the moment, factoring in every type of threat including worst-case scenarios such as, hacking attacks on confidential data and the magnitude of the potential loss. Hence, we end up with an objective evaluation of risk, in which, there are very few assumptions and uncertainties about the effectiveness of our information security when and where it matters. All the relevant facts are clearly considered and presented.
“IT Governance was able to guide our implementation team from the initial phases; from suitably informed management support, to scoping, planning, communication, risk assessment, control selection, documentation, and testing … right up to the external audit by our chosen certification body, Bureau Veritas, leading to certification. Each step required us to understand what was being asked of us, and IT Governance consultants were there to ensure that we were ready.”
Outcome
After an intensive 8-months of consultation, design, documentation and detailed project implementation, Tribal’s ISO 27001-compliant ISMS was audited by the UKAS-accredited certification body (CB), Bureau Veritas, in February 2012 and recommended for certification.
In addition to improved security, the Tribal team has identified several other benefits derived from ISO 27001 compliance. These include; improved operational efficiency, confidence in the appropriateness and effectiveness of policies/procedures, and the application of a formal framework to an already stringent security so that everyone working with confidential data is assured that the controls in place are working.
To quote Mike Annett: “We were all extremely pleased with the result, knowing how difficult it is for a large and growing organisation such as the Tribal Group to achieve ISO 27001 compliance in under one year.
It’s a complex area and we’re glad that we had expert help on hand.”
Next Steps
The Tribal team will continue to test and develop their ISMS, calling upon the support and assistance of IT Governance when it’s needed. Preparation for regular external audits by Bureau Veritas is one area where the Consultants could be asked to help with the maintenance.
They are looking forward to working with IT Governance in the future.
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.