IT Governance Smoothes the Way to ISO 27001 Certification for IMS Hospital Group
This case study shows how IT Governance helped IMS Hospital Group achieve ISO 27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on 00 800 48 484 484 to discuss your own ISO 27001 consultancy requirements.
IMS Hospital Group case study
Pharmaceutical data provider, IMS Hospital Group, needed to achieve ISO 27001 certification in short order to meet the requirements of a potential provider of valuable market information. With the support of IT Governance’s consultancy, training and specialist compliance products, IMS was able comfortably to meet the requirements of its two-stage audit, despite a demanding time scale.
Background
The success of a pharmaceutical company depends on long-term, complex drug development, patent protection and good patient safety records. Inevitably, the risk of litigation in all these areas is a real business issue. Data security is therefore a significant concern, and robust, effective measures are required to keep an organisation’s information watertight and to limit its exposure to legal action.
As a significant source of sensitive industry data, IMS Hospital Group (‘IMS’) is subject to the same stringent demands as its pharmaceutical clients and, in common with other organisations, is experiencing growing pressure to demonstrate good practice in information security.
Click here to read more »
IMS was already subject to its parent company’s strict privacy and data protection policies. However, a potential new source of data, a government health organisation, stipulated that IMS should also be certificated to ISO 27001, the global best practice standard for information security management.
IMS recognised that, as well as satisfying the immediate demands of this particular organisation, ISO 27001 certification would be a source of reassurance to others. While its parent company already had externally audited policies, independent confirmation that IMS maintained best practice information security could only add to its own reputation, helping to attract future contracts and information sources.
Requirements
As IMS had no existing internal knowledge of ISO 27001 certification, in early 2007 it appointed IT Governance to undertake an initial appraisal of its needs and advise on a course of action. As IMS’s ISO 27001 compliance project manager Chris Lofts confirms, the company was quickly convinced of IT Governance’s expertise in the area,
‘Through our phone calls and subsequent meeting, it became apparent that IT Governance had a real depth of expertise in ISO 27001 and practical experience that was very relevant to our situation.’
Process
Guided by IT Governance’s outline recommendations, IMS initially set about pursuing ISO 27001 compliance as an in-house project.
The work of the IMS team was aided by two products from IT Governance’s range of specialist compliance tools: risk assessment software tool, RA2, the Art of Risk, which is designed to enable businesses to undertake an information security risk assessment that is compliant with the Standard; and the ISO 27001 ISMS Documentation Template Toolkit, which supplies prewritten policies and procedures designed to fast-track any ISMS project. The company also called in a consultant from IT Governance on an occasional basis, to discuss and advise on particular aspects of their programme. The consultant also advised IMS on how to make best use of its RA2 software and ISMS Toolkit, helping to tailor these to the specific needs of the organisation to speed the compliance process.
However, a change in priorities within the business meant that IMS was suddenly placed under even greater pressure to achieve its ISO 27001 certification, with the deadline brought forward by almost three months. At this stage, it was decided to engage IT Governance on a more intensive basis, so as to accelerate IMS’s preparation.
Click here to read more »
The new engagement began with a strategy and planning session, at which both companies worked together to agree the roadmap for the project and milestones at various critical stages. As part of this process, it was also necessary to assess the current skills and knowledge of the IMS in-house project team.
As project manager, Chris Lofts had recently attended two of IT Governance’s expert training courses: a three-day ISO 27001 Implementation Masterclass and an ISO 27001 Internal Auditor Course. The Masterclass included a very relevant study of accelerated certification projects, which enabled Chris to appreciate some of the pressure points and issues that were likely to occur. However, to extend relevant skills to other members of the team, it was decided that IT Governance should also put IMS’s internal quality management system auditors through an ISO 27001 Internal Auditor Transition Training Course.
IT Governance’s experience of guiding many other businesses through information security certification proved very helpful, as Chris Lofts explains, ‘The correct approaches for ISO 27001 compliance are not immediately obvious from reading the Standard alone. It was immensely useful that IT Governance could talk about its experiences across various industries and advise on practical approaches that would offer the most efficient route.’
At this stage, the IMS team was ready to tackle its tasks in a concerted fashion. However, the IT Governance consultant maintained contact with Chris Lofts throughout and visited the company again at each of the project milestones, so as to sample and review the team’s work and provide guidance on various aspects of the implementation. The consultant also helped IMS undertake a dress rehearsal prior to its Stage 2 audit, which ensured that the company was a ready as possible for external scrutiny.
Outcome
IMS’s Stage 1 audit took place in February 2008, when auditors from BSI visited to inspect the company’s ISO 27001 documentation. The visit passed off entirely successfully, and IMS was advised that it should proceed to a Stage 2 audit in April, when BSi would subject the company to far greater scrutiny on how its policies and procedures were applied within the business.
This second audit proved similarly successful, with only one minor non-conformance identified that was swiftly corrected by the IMS team. The company went on to receive its ISO 27001 certification that same month, fully achieving the demanding challenge it had set itself within the revised, tighter timescale.
Looking back at the project, Chris Lofts says that IT Governance provided invaluable support to his team, ‘They understand the subject manner both at a theoretical and practical level, which helped guide us to the approach that would get us there fastest. We might otherwise have gone about things in other ways, which would have made the deadline impossible to achieve. The other important point was that IT Governance gave us everything we needed, from advice, to training, to purpose-built tools – that covered off all our needs very quickly and meant we had more time to spend on achieving our goal.’
He also emphasises that IT Governance’s support goes further than just enabling a successful certification, ‘Rather than saying “Let’s just get through the audit”, IT Governance approaches the certification process from a standpoint of real-world business benefits, and has helped us make it a part of how we approach our work.”
Being ISO 27001 certificated has added significant value to IMS’s business. Not only has it gained an important data supplier, but, as Chis Lofts says, ‘It demonstrates to all our suppliers and clients that we uphold best practice, and underwrites the quality and integrity of our finished product.’
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped IMS Hospital group achieve ISO 27001 compliance on time and within budget so we can help you. Call us now on 00 800 48 484 484.