DenuoSource Logo
Welcome to DenuoSource
ISO 27001 certification

Introduction and Background
With the worldwide competitive pressure, organizations are trying to reduce costs, speed up supply chain and improve service. This has encouraged the creation of partnerships and the reduction of duplicate costs within a supply chain.

One way to achieve these aims has been the sharing of commercially sensitive information. However there is concern about the security of such information, once it is passed to other organizations in the supply chain.

To answer this concern well as other security issues, implementation of ISO 27001 standards can provide externally assessed checks of data security. ISO 27001 does not just cover the security of electronic data and therefore it does not consider only of concern of the IT or Computer specialists.

ISO 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

Under these circumstances, DenuoSource, decided to implement an Information Security Management System in accordance with the requirements of ISO 27001:2005 during mid of 2009. The motivation behind the effort was purely improvement of the existing information security system with a view to maintain the confidentiality, integrity and availability of data to enhance customer satisfaction. Unlike many other organizations, where achieving ISO 27001:2005 certificate is a contractual requirement, the DenuoSource (DS) takes it as opportunity for improvement in set-up and operations through a documented Information Security Management System within the context of DS overall business risks.

The Road Map
The following steps were taken during the journey to certification:

a) Defining the scope
It was decided to implement ISO 27001:2005 at Hyderabad as a pilot study and subsequently scope to be extended to Dallas office.

b) Formation of steering committee
The steering committee, which consisted of all Chief Security Officer, ISMS Administrator, Key Accounts Manager ,Managing Director – Hyderabad and the President as its chairman. The Steering Committee was entrusted with complete responsibility of monitoring the progress of the project.

c) Documentation of information security system
This was the most lengthy and hazardous step. The approach adopted was (i) documentation of the existing system (ii) comparison of the existing system with the elements of ISO 27001:2005 (iii) identification and removal of discrepancies. Development of the initial documentation consisting of the ISMS Policy manual, SOA, ISMS procedures, information asset classification, risk assessment and business continuity plan took about six months.

d) Implementation of the information security system
The documented information security system was implemented in all working areas under the supervision of Steering Committee members.

e) Defining interface with the support functions
Interface with support functions, like, Systems, Administration, Commercial and HR defined and Operation Level Agreement signed with each support function.

f) Internal auditing
Internal audits were conducted at regular intervals by trained internal auditor. The findings of the audits were summarized and presented by the CISO in the management review meeting. Based on the recommendations from management review committee members, appropriate corrective and preventive actions were initiated.

g) Certification audit
DS Stage 1 Internal Audit took place between 16th Sep 2009 and 18th Sep 2009, when auditors from DNV visited to inspect company’s ISO27001 documentation on 26th Nov, 2009. The visit passed off entirely successfully, and DS was advised that it should proceed to a Stage 1 audit at Dallas office on 9th Jan 2010, when assesing body would subject the company to far greater scrutiny on how its policies and procedures were applied within the business. This second audit proved similarly successful without any Non-Conformity. The company is expecting to receive the certificate by March, 2010.

The Success Keys
a) Planning and Communication
we spent a significant amount of the project time on planning ahead of implementation and this has greatly helped us avoid many of the common pitfalls. A lot of time also went into understanding the issues and communicating objectives and benefits as simply and clearly as we could to users.

b) Senior Management Team Involvement
Absolutely key to the success of the project was, and is, the support and encouragement provided by the Senior Management Team. Information security is now a regular feature of management review meetings and there is a genuine appetite for ongoing improvement and addressing security issues.

c) Integrating into ‘Business as Normal’
It is essential that information security is seen as a normal everyday activity and this has been achieved by training to deliver information security awareness sessions and including information security as a regular agenda item at business meetings.

d) Security Awareness
ISMS Administrator and the core implementation team impart security awareness training to DS staff.

e) Getting Scope Right
With hindsight, I do feel that we got the scope of the ISO 27001 certification just about right. A scope that was meaningful and challenging but achievable. Our assessor was a great help here to expedite our decision regarding what was in and out of scope.

The Benefits
a) Improved Security Environment and Greater Transparency
It has certainly led to a tangible difference in the organizational culture. There is, for example, a far more open and transparent environment in the reporting of security events or breaches. This is absolutely the key if we are to be effective in implementing corrective and preventive actions.

b) Stronger Policies and Operational Procedures

One of the key risk treatment activities was the need to develop stronger, up-to-date policies and the need to identify and document all operational procedures. DS’s ISMS Policy Manual has been pivotal in communicating the high level information security objectives to all staff. The documentation of operational procedures has also been extremely beneficial in helping the Service to reduce the risks associated with information being held in heads and ‘single points of failure’.

c) Good Corporate Governance
Senior management is aware that it can never have a 100% secure environment. What ISO 27001 certification does provide, however, is the ‘peace of mind’ that DS has committed to ISMS which is risk based and built on continuous improvement. In doing so, the Authority has taken a proactive approach to minimizing the risk of security breaches occurring.

 
 


Welcome to DenuoSource
Welcome to DenuoSource