IT Governance Smoothes the Way to ISO 27001 Certification for IMS Hospital Group

This case study shows how IT Governance helped IMS Hospital Group achieve ISO 27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on 00 800 48 484 484 to discuss your own ISO 27001 consultancy requirements.


IMS Hospital Group case study

Pharmaceutical data provider, IMS Hospital Group, needed to achieve ISO 27001 certification in short order to meet the requirements of a potential provider of valuable market information. With the support of IT Governance’s consultancy, training and specialist compliance products, IMS was able comfortably to meet the requirements of its two-stage audit, despite a demanding time scale.


Background

The success of a pharmaceutical company depends on long-term, complex drug development, patent protection and good patient safety records. Inevitably, the risk of litigation in all these areas is a real business issue. Data security is therefore a significant concern, and robust, effective measures are required to keep an organisation’s information watertight and to limit its exposure to legal action.

As a significant source of sensitive industry data, IMS Hospital Group (‘IMS’) is subject to the same stringent demands as its pharmaceutical clients and, in common with other organisations, is experiencing growing pressure to demonstrate good practice in information security.

Click here to read more »


Requirements

As IMS had no existing internal knowledge of ISO 27001 certification, in early 2007 it appointed IT Governance to undertake an initial appraisal of its needs and advise on a course of action. As IMS’s ISO 27001 compliance project manager Chris Lofts confirms, the company was quickly convinced of IT Governance’s expertise in the area,

“Through our phone calls and subsequent meeting, it became apparent that IT Governance had a real depth of expertise in ISO 27001 and practical experience that was very relevant to our situation.”


Process

Guided by IT Governance’s outline recommendations, IMS initially set about pursuing ISO 27001 compliance as an in-house project.

The work of the IMS team was aided by two products from IT Governance’s range of specialist compliance tools: risk assessment software tool, RA2, the Art of Risk, which is designed to enable businesses to undertake an information security risk assessment that is compliant with the Standard; and the ISO 27001 ISMS Documentation Template Toolkit, which supplies prewritten policies and procedures designed to fast-track any ISMS project. The company also called in a consultant from IT Governance on an occasional basis, to discuss and advise on particular aspects of their programme. The consultant also advised IMS on how to make best use of its RA2 software and ISMS Toolkit, helping to tailor these to the specific needs of the organisation to speed the compliance process.

However, a change in priorities within the business meant that IMS was suddenly placed under even greater pressure to achieve its ISO 27001 certification, with the deadline brought forward by almost three months. At this stage, it was decided to engage IT Governance on a more intensive basis, so as to accelerate IMS’s preparation.

Click here to read more »


Outcome

IMS’s Stage 1 audit took place in February 2008, when auditors from BSI visited to inspect the company’s ISO 27001 documentation. The visit passed off entirely successfully, and IMS was advised that it should proceed to a Stage 2 audit in April, when BSi would subject the company to far greater scrutiny on how its policies and procedures were applied within the business.

This second audit proved similarly successful, with only one minor non-conformance identified that was swiftly corrected by the IMS team. The company went on to receive its ISO 27001 certification that same month, fully achieving the demanding challenge it had set itself within the revised, tighter timescale.

Looking back at the project, Chris Lofts says that IT Governance provided invaluable support to his team, ‘They understand the subject manner both at a theoretical and practical level, which helped guide us to the approach that would get us there fastest. We might otherwise have gone about things in other ways, which would have made the deadline impossible to achieve. The other important point was that IT Governance gave us everything we needed, from advice, to training, to purpose-built tools – that covered off all our needs very quickly and meant we had more time to spend on achieving our goal.’

He also emphasises that IT Governance’s support goes further than just enabling a successful certification, ‘Rather than saying “Let’s just get through the audit”, IT Governance approaches the certification process from a standpoint of real-world business benefits, and has helped us make it a part of how we approach our work.”

Being ISO 27001 certificated has added significant value to IMS’s business. Not only has it gained an important data supplier, but, as Chis Lofts says, ‘It demonstrates to all our suppliers and clients that we uphold best practice, and underwrites the quality and integrity of our finished product.’


Download this case study now 

To get a PDF version of this case study enter your email address below and we will send you a copy straight away.

 

Just as we have helped IMS Hospital group achieve ISO 27001 compliance on time and within budget so we can help you. Call us now on 00 800 48 484 484.

 

top