Tribal Gains ISO 27001 Months Ahead of Schedule


This case study shows how IT Governance helped Tribal achieve ISO 27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on 00 800 48 484 484 to discuss your own ISO 27001 consultancy requirements.

Tribal case study

Tribal needed to achieve compliance to the ISO 27001 standard to support the delivery of their world-class education learning and training services. Their extensive expertise in education and technology, and collaborative partnership style has made them a trusted name, so it was important to adopt information security best practice to match this reputation. The senior managers responsible for this planned their Information Security Management System based on an appropriately detailed risk assessment with help from IT Governance Consultants.

The challenge was to apply the required controls identified in accordance with ISO 27001 best practice across several sites within a rapidly expanding and profitable enterprise, without slowing down operations. Maintaining Confidentiality, Integrity and Availability of information is part of ‘business as usual’.


Tribal supports the delivery of education, learning and training services around the world. They build world-leading software, support adult learning, careers and professional development, and provide educational inspections and improvement services, both, in the UK and abroad. Tribal works in partnership with a wide range of organisations, including schools, colleges and universities, prisons and social services, government agencies and large and small employers. With 1,300 staff, their work spans five continents across the world.

Mike Annett, Technical Director Architecture and Design, Mike Fegan, Director of Projects (Services), and Kathryn Harris, Project Manager, were tasked by Tribal’s Board with achieving ISO 27001 certification. The principal motivations for the project were firstly; to gain commercial advantage for the Group by promoting compliance and secondly; to improve cybersecurity in line with ISO 27001 best practice in what was already, thanks to the confidential nature of client records they hold, a security-conscious organisation.


Tribal’s technology products and services include market-leading software and related services to support education, training and learning. Protecting the confidentiality of the groups and individuals served by Tribal’s clients at all times – e.g. school students, apprentices, prisoners – had to be the team’s primary consideration; both to meet their moral obligations and client contractual requirements, and to avoid reputational damage that could impact on Tribal’s stakeholders.

Other considerations discussed with IT Governance consultants included increasing organisational efficiency, incorporation of IT security into Tribal’s Enterprise Risk Management (ERM) processes, and the eventual adoption of ISO 27001 throughout the Tribal Group.


From the outset, the Tribal team benefited from senior management backing. In Mike Annett’s words: “The full support and approval from Tribal’s Board for the implementation of ISO 27001 was a vital first step in setting up the ISMS. As an organisation, we were certainly not novices at handling sensitive data. However, we knew that such a far-reaching project could only be achieved by starting at the top. Board-level IT governance is undeniably one of the critical components of corporate governance. Through this important information security project, Tribal as an organisation has demonstrated its capabilities.”

Mike Fegan echoed Mike Annett’s comments in saying:

“There was real value in adopting ISO 27001 in bringing the employees of Tribal together. We all saw this as a key management project. The requirements of the ISMS framework mean that team collaboration in the implementation process is an inevitable feature – but as we have found it can also be highly-productive.

“One of the benefits of working with expert consultants from IT Governance Ltd was the speed with which we were able to organise our efforts based around their in-depth knowledge of the standard. This streamlined the process in terms of time spent attending meetings and telephone conferences, and exchanging lengthy and detailed emails.

Click here to read more »


After an intensive 8-months of consultation, design, documentation and detailed project implementation, Tribal’s ISO 27001-compliant ISMS was audited by the UKAS-accredited certification body (CB), Bureau Veritas, in February 2012 and recommended for certification.

In addition to improved security, the Tribal team has identified several other benefits derived from ISO 27001 compliance. These include; improved operational efficiency, confidence in the appropriateness and effectiveness of policies/procedures, and the application of a formal framework to an already stringent security so that everyone working with confidential data is assured that the controls in place are working.

To quote Mike Annett: “We were all extremely pleased with the result, knowing how difficult it is for a large and growing organisation such as the Tribal Group to achieve ISO 27001 compliance in under one year.

It’s a complex area and we’re glad that we had expert help on hand.”

Next Steps

The Tribal team will continue to test and develop their ISMS, calling upon the support and assistance of IT Governance when it’s needed. Preparation for regular external audits by Bureau Veritas is one area where the Consultants could be asked to help with the maintenance.

They are looking forward to working with IT Governance in the future.

Download this case study now


To get a PDF version of this case study enter your email address below and we will send you a copy straight away.

SAVE 25%