A critical national infrastructure firm processing over GB£360 billion peak value of monthly automated payments asked us to assist with its ISO/IEC 27001 Certification process.
With ISO/IEC 27001 controls as drivers, we undertook a detailed review of the Governance, Delivery and Assurance aspects of the company’s Information Security Management System (ISMS). First, we assessed whether the model defined mandatory security requirements to ensure the consistent governance of security. We then assessed whether the delivery teams had the resources and knowledge to defend the business against technically complex or new cyber threats. Under assurance, we evaluated the adequacy of the tracking and reporting on the effectiveness of security processes. For example, we visited the company’s data centres to assess the adequacy of physical controls against crime, natural disasters and national security threats including terrorist attacks.
The assessment outlined areas of weakness and strength and provided a remediation roadmap and action plan that helped the company gain certification as it enabled timely changes to the security organisation; asset handling and personnel controls. In particular, we designed a new Target Operating Model that helped clarify IT security responsibilities and enabled coordination between delivery and assurance teams.