Esri Achieves ISO 27001 Accredited Certification as Part of a PAS 99 Integrated Management Systems Framework
This case study shows how IT Governance helped Esri achieve ISO 27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on 00 800 48 484 484 to discuss your own ISO 27001 consultancy requirements.
Esri Case Study
Esri UK is a global organisation. In fact, it is now the third largest privately-owned software company franchise in the world, employing more than 4,500 people. Esri UK has a global presence. The Board of Esri UK resolved to adopt ISO 27001: the information security Standard, in 2012, and to seek UKAS-accredited certification by 2013.
In order to speed up the process and achieve the best results possible, Nick Rigby, non-Executive Director and a former Director of Intelligence at MoD, selected IT Governance Ltd to deliver a bespoke mix of consultancy advice and public and internal training courses, from the initial gap analysis to audit support based on their track record in ISO 27001.
With the help of James Sibbald, Security Officer for Esri UK and Greg Wright, Manager of Security and Networking, Nick set about creating an Information Security Management System (ISMS) compliant with ISO 27001. The whole of Esri UK was involved in the project, which, in addition to gaining the coveted ISO 27001 certification, has helped Esri UK to develop better management systems to sustain growth.
Esri UK is a privately held, UK-owned company that provides world-class enterprise geographic information systems (GIS). Their solutions help businesses, governments and educational institutions make timely, informed and mission-critical decisions by leveraging the power of geography.
Headquartered in Aylesbury, Esri UK operates from six regional offices across the country. Since 1991, they have been delivering proven solutions based on technology from Environmental Systems Research Institute, Inc. (Esri Inc), the world's leading GIS software provider. Their technology delivers a range of business solutions in different markets as well as catering for system integrators and application developers through the Esri Developer Network.
The emphasis on ‘spatial data as a service’ means that the organisation operates increasingly in the Cloud, providing the means to gather, analyse and interpret demographic and census data, and a wide variety of other data sets used by their customers, who range from supermarkets to Government. Naturally, security is a prime concern for Esri UK, and the company takes its responsibilities very seriously indeed, employing a dedicated team to devise and maintain suitable information security policies, develop procedures in line with the requirements of regulations and international standards, and enforce the controls that the organisation has in place to protect its confidential data.
The main drivers for gaining certification were:
- Adopting best practice as defined in the ISO 27001 information security standard
- Differentiation: Esri UK would gain an advantage over its competitors by achieving certification
- Compliance with the requirements of an ever growing number of potential ‘government’ let contracts.
To quote Nick Rigby: “Information Security at Esri UK is constantly evolving as we develop and implement new technologies. It’s a Darwinian process that has no endpoint and that requires us to test and measure what we are doing at regular intervals. We don’t regard security as a ‘quick fix’ problem because we know that the task is ongoing and we cannot afford to ignore the challenge. Therefore evaluating our own, and our customers’, risk is part of the Esri UK DNA.
Like many organisations that pursue standards-compliance and certification, our initial drivers came from Government in terms of contract requirements. Having previously gained ISO 9001 certification we embarked on the process of gaining ISO 14001 and more recently on ISO 27001, we evaluated the benefits of an international management systems standards-based approach and found that it brought us significant benefits in addition to the tick-in-the-box aspect when tendering. Further, at IT Governance’s suggestion, using PAS 99 we adopted an Integrated Management System (IMS) approach to this work. In fact, we now believe that a management systems approach is helping us to grow our business through the development of processes and procedures based on the ISO standards frameworks that we have successfully adopted, which will soon also include ISO 20000 – also part of our engagement with IT Governance consultants, who have provided the initial scoping requirement.”
Much of the work on the ground to implement ISO 27001 was led by Greg Wright, Esri UK’s Information Solutions Manager for Security and Networking. Greg’s role was intrinsic to the whole process; from helping to form the Steering Committee for the project, being a key project team member, to helping draft much of the control documentation needed to support the Statement of Applicability (SoA). Along with Chris Henty, System Administrator, Greg carried out much of the risk analysis using Vigilant Software’s vsRisk™ – a specialist ISO 27001 Information Security Risk Assessment Software solution.
Greg Wright said: “The risk analysis of the production servers that needed to be ultra-secure formed a major part of the project. Thanks to the consultancy help that we received from IT Governance, weeks of effort were removed from the timescale to project completion. This was achieved by referring back to, and then updating previous analysis. Knowledge of how far we actually needed to go was part of the benefit gained from having an experienced consultant on hand. This consultancy know-how worked in terms of making us feel confident that we had ‘done due diligence’!
“Hand-holding by Nick Orchiston, a member of the experienced IT Governance consultancy team, helped us to refine our risk analysis and saved us more time than the consultancy hours cost by a long way. Nick showed us how to group assets for the asset-based risk assessment in a way that made sense in terms of the requirements – i.e. the right level of detail to enable us to properly assess the risks that we actually faced and produce a viable risk treatment plan that was actionable. The same was true for the Control Documentation, which Nick Rigby and I divided between ‘non-technical’ and ‘technical’ requirements. With help from project manager Heather Nelson, we created a document set that was right for Esri UK’s needs. One of the key things that IT Governance taught us was the value of simply referencing to our existing procedures and work instructions rather than repeat the content. Duplication of effort was slowing us down. IT Governance knew how to keep the workload to optimum levels so that we were able to accelerate our efforts.
The IT Governance toolkit templates were also helpful in saving us a great deal of time. Along with their training courses, I would recommend using these if your aim is to satisfy the requirements efficiently and effectively.”
Click here to read more >>
Nick Rigby continued: “We knew that ISO27001 was not an easy standard to gain certification to. But we were also sure that Esri UK ‘reinventing the wheel’ as far as devising a management system for information security would have less value to us than adopting the ISO27001 framework, the global standard everyone knows and respects. ISO27001:2013 is likely to retain that crown.
The biggest piece of upfront work was of course the asset-based risk assessment. The fence that most lead implementers fall at was no trouble for us thanks to IT Governance risk consultant, Nick Orchiston, and the Vigilant software tool, vsRisk™, which we used to carry out our RA process. Automating the assessment of information security risk was a natural thing for us to do at Esri UK, and it was great that IT Governance could supply a tool that accelerated the process and that fully-integrated into our ISO27001 management system. Obviously the risk assessment is fundamental to ISO27001 planning processes and the risk treatment plan is key ISO27001 documentation, so it was a great relief that we were able to save time by using this software. Quite honestly, struggling with an Excel spreadsheet in place of vsRisk™ would not have achieved the positive outcome in the same time.”
How long did Nick initially think that it would take to gain certification? “At the outset we knew that ISO27001 was no picnic in the park, but the knowledge that we had IT Governance consultants to guide us made the job very do-able. They have helped well over 100 clients to gain certification. After that amount of practical experience, their people knew what we needed. It was a two year journey with inevitable peaks and troughs, and, yes, onerous at times. There was a large workload, but thanks to IT Governance we knew that we were doing the right things, and what is more, had the documents to show that was the case. We were conscious that driving and changing behaviours would not be an easy process – but good business practice would take the workforce with us. Once again, IT Governance’s Nick Orchiston had plenty of experience of what seeding good behaviour in companies involved. We think that the result speaks for itself.”
Esri UK’s Information Security team also trained with IT Governance. To quote James Sibbald: “We found the ISO27001 Foundation and Lead Implementer course very valuable. The tutors were all practicing consultants who knew exactly what we were going through and inspired a great deal of confidence.”
What was the general feeling about ISO 27001 at Esri UK throughout? Nick explained: “We have a culture of ‘seriousness with levity’ which helps us to deal with the emerging cyber threat. For example, we have designed a control that includes software to find out what BYOD hardware has been used. Controlling this aspect of life in today’s business environments will always be a challenge, but we try to pick up on inappropriate security configurations without turning our software developers against us. We are after all trying to help!
ISO 27001 fits in with Jack’s (Jack Dangermond, President and CEO of Esri Inc) philosophy to business: “To make things better”. We practice this in all aspects of what we do, right down to providing free education programs for students who will one day be Esri’s customers and users. It’s a CSR [Corporate Social Responsibility] stance that makes protecting our client’s data part of a natural process of caring about them and their work using our software. Aggregation of information on the scale that we deal with must necessitate a detailed and effective approach to security, which I am proud to say that our ISO 27001 demonstrates perfectly.
We got the ISO 27001 project completed in just 18 months, thanks to IT Governance, achieving our compliance badge [ISO 27001 certification] up to 6 months ahead of our planned schedule. Our mapping software is often used to save lives in disaster hot areas, so we are able to respond quickly to deal with emergencies. The great news about working with IT Governance was that we had guides to help us deal with the tricky parts of the compliance terrain in less time than we could have managed the climb by ourselves, and with the reassurance that we were being taken safely and professionally through to our destination the best help available.”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.
Just as we have helped Esri UK to achieve ISO 27001 compliance on time and within budget, we can help you. Call us now on 00 800 48 484 484.