Overview

A data consultancy with global operations needed to mature its information security practices l as part of an overall effort to to bring its management and governance practices to the next level and meet the demands of institutional customers.

Key Challenges

Establishing an ISMS to achieve ISO 27001 Certification, can face many governance challenges for global consulting firms, including:

• ensuring that policies & procedures are fit for its internal and * consulting operations as they grow and change in response to customer demands
• identifying and and managing operational and HR risks for mixed environments of contractors and full-time employees, distributed across many legal jurisdictions
• variable risks for systems and data across customer engagements

Outcome

An ISO 27001-compliant ISMS was developed to meet many of the unique requirements of a modern, globally distributed consulting firm. They are now working toward meeting certification requirements.

---

Challenges in Depth

Policies & Transition

Organisations under change, in scale-up mode especially, often have to revisit their policies and procedures to make sure that they’re addressing the current situation. Many have started off with off-the shelf, templated policies or procedures or borrowed them from past organisations. They’re often a mish-mash of rules, cobbled together in response to customer compliance requirements.

This creates a few problems. The first is that they’re often ignored. Signed-off and then forgotten. The second is that when it comes time to develop a mature ISMS and get a certification like ISO, it can be difficult to know what’s in, what’s out, what meets certification requirements, and which one of the many ideas and formats to bring forward. Finally, organisational policies for consultancies and others providing services and sometimes conflict with those of their customers.

Without proper policies and procedures or an understanding of what rules to follow and when, an organisation has no recourse when things go wrong, creating liability risks for customer engagements and HR matters.

Solutions

• Review of policies, get rid of old ones, new ones, all org policies, not just ‘tech’
• Understanding this business, experience with consulting
• New rules ** secure dev & data engineering ** Home, remote work policy ** Secure engagement procedures

Variable risks for systems and data across customer engagements

Another issue for consultancies is related to scope and how many risking processes happen in the enterprise, which don’t carry over to a service environment. For example, risking methodologies often focus on assets, and assets are usually defined as data, specifically, or the systems that carry that data.

When consulting for others, this can be tricky. The customer owns the data and the systems, but the consultancy can be very deeply involved in technology, even managing the customer. When data is involved, things can get even more complicated, and risks can get bigger.

Solutions

Understanding your organisational context – the contractual and legal frameworks it’s working under are an important piece of the puzzle. Standardising and agreeing security responsibilities from customers is an important first step.

The second is to ensure that all the important people at the right steps understand and value information security as part of their job. A secure engagement policy and procedures ensure that people understand agreed rules within the organisation for information security, and how it engages with customers. Most importantly, it ensures that information security is treated as a normal part of customer engagement – raising risks with customers and agreeing to manage them appropriately.

Doing this makes information security an important part of offering to customers as well as assurance, not just administration.

You need somebody that understands contracts and outsourced service delivery, as well as technology development practices.

Managing Operational & HR Risks with a mixed, global workforce

Having a successful ISMS means ensuring that people, processes and technology are all working together to achieve its requirements. The ISO 27001 standard has many people & HR-specific requirements, and the ISO 27002 guidance can help to some degree, but even the latest (2022) updates to both an be unhelpful when trying to define the scope of a consultancy, let alone one with a global workforce and mixed environment of employees and contractors.

Take the requirement for security training. What training, how much? And whose responsibility is it? HR often doesn’t work with subcontractors, so how does that work?

Ensuring your organisation is working securely no matter the circumstances is important. Matching your own organisation’s needs and practices with a standard that’s short on details can be daunting.

Solutions

Industry standards are an important reference point, but only you and your organisation have the ability to know what’s right within your context.

But, because customer practices and demands can vary, the next step was to identify a tiered approach for engagements. Where customer requirements are stringent, everybody must understand and adhere to them. Everywhere else, clear and consistent requirements for

As with many things ISO 27001-related, what’s important is the context. Consultancies delivering services to other organisations are doing so under set agreements written down as contracts, which the standard requires to be considered as part of the ISMS and risking process.

The solution to meeting these requirements is to identify and understand the various contexts

In this case, the openness of the standard can be a benefit.