The business value of ISO17799

A case study by
Dr Gary Hinson CISSP CISM CISA MBA
Introduction

This case study concerns an IT services company that decided to implement ISO17799, the Code of Practice for Information Security Management, and gained significant business advantages as a result. The case reveals some surprising linkages between information security management and general business management, and several indirect benefits that are seldom mentioned.

Business situation

“ServiceCo” [not its real name] is a supplier of IT services, hardware and software to corporate clients. Having gained its ISO 9002 certificate nearly ten years ago, staff were used to working in a consistent manner using documented quality procedures and guidelines. A couple of years ago, however, the atmosphere within the company had turned sour. Management decisions were mostly being made instinctively on “gut-feel” with little real analysis. With staff turnover increasing, senior management recognised the need to change and took a long hard look at the organization’s strengths and weaknesses.

ServiceCo management decided to implement ISO17799. According to a senior ServiceCo director, “Implementing ISO17799 made business sense. Securing ServiceCo’s internal information would reduce the risk and hence the cost of serious breaches. ISO17799 is a known security framework developed by some of the worlds leading companies (BT, HSBC, Shell International and Unilever, amongst others), so it gave us the means to implement best practice security controls.”

Benefits of implementing ISO17799

The director told us “ISO17799 is not just about information security or IT – it actually helps the organisation save and make money.” He identified the following business benefits of ISO17799:
Direct benefits

Increased reliability and security of systems: “Like all businesses ServiceCo is reliant upon information systems. ISO17799 has ensured that we now have controls in place that maintain system availability and reduce the risk of vulnerabilities being exploited. Post-certification ‘surveillance visits’ and re-certification audits to ISO17799 ensure the business keeps up-to-date with the latest vulnerabilities and best practices.”

Increased profits: “Sales and margins are up, and clients’ perceptions of our business have improved. Our BS7799 Part 2 certificate demonstrates that we can be trusted to secure our customers’ data, as well as our own. Our customers not only understand that our investment in ISO17799 has given them benefits, but they are prepared to spend a little more for a secure IT infrastructure. Since gaining ISO17799, we have already seen a marked increase in our bottom line profit and some new customers are telling us they prefer to trade with companies who have a recognised security certification. Additionally, we are now seeing more Invitations To Tender from business that list ISO17799-compliance as a pre-requisite. And, by the way, our employees are wasting less time surfing the Internet for sites not related to work!”

Cost-effective and consistent information security: “We have implemented cost-effective security matched to our business needs. ServiceCo had many technical safeguards throughout the organisation, but the risk assessment highlighted that some of our safeguards offered little or no business benefit and would provide a better return off investment if they were reconfigured to protect assets that required a higher level of protection. All divisions and departments within ServiceCo had previously developed their own security guidelines. ISO17799 helped us develop a consistent approach to security by creating uniform policies incorporating industry best practise. Where necessary, employee compliance with the policies is supported by an enforceable disciplinary process.”

Systems rationalisation: “Analysing our information and information security requirements properly means we spend our money wisely. We were able to cut about 50% of our systems and data when we realised they were not worth keeping, and we actually relaxed controls on some low-risk systems.”

Compliance with legislation: “Implementing ISO17799 forced us to comply with UK legislation in areas such as data protection and software copyright.”
Indirect benefits

Improved management control: “Managers have more control over the organisation, and better quality information with which to manage it - management effort is therefore reduced.”

Better human relations: “Clear policies, procedures and guidelines make things easier for our staff – the atmosphere has improved and staff turnover has reduced. ISO17799 has made ServiceCo different from our competitors and provided the company with a unique selling point, leading to a better working environment for all of our staff. Employees now recognise that their earning potential is dependant on how customers perceive the company brand and that any negative publicity could affect them. Professionalism has improved throughout the company. Given that so much of security relies on internal controls, we needed to look more carefully at who we were employing. Through ISO17799 we introduced more through recruitment processes that reduce the risk of employing people unsuitable to the position or who could potentially put our business at risk. We now know who is working for us!”

Improved risk management and contingency planning: “Through the ISO17799 certification process, ServiceCo identified its vulnerabilities, threats and potential impacts to the business. As a result of this and implementing controls from ISO17799, ServiceCo now has a more structured approach to risk management. For example, we now have a rational process to decide which risks to transfer to our insurers. We also now have a business continuity plan that suits the business, not just the IT department. The risk assessment identified information assets that are critical to the success of the business. This enabled us to produce a business continuity plan that prioritised these assets and reduces our potential exposure to financial loss or negative publicity.”

Enhanced customer and trading partner confidence: “With the heightened sensitivity to security breaches, trading partners, customers and vendors were looking evidence of security. ISO17799 certification has provided this assurance. In any industry you have to stand out from your competitors. Being the first IT Value Added Reseller in the world to obtain ISO17799 is a bold statement that will always be unique to ServiceCo. Having the ISO17799 logos on our company literature is a continual reminder to potential and existing customers that we are a professionally-run organisation who take the confidentially, integrity and availability of their and our information seriously.”

Costs

“Despite what people say, the costs of implementing ISO17799 are very modest. The main cost element was the pain of cultural change (we had to ‘let a couple of our people go’ for not complying with our policies and procedures). The regular compliance reviews to maintain our certification only costs us about £3k [$5k] p.a. so ISO17799 is very cost-effective. We are now talking to our assessors about combining the ISO17799 and ISO 9002 reviews to save time and money.”

For more information

To find out more about this case study or for help to assess the business value of ISO17799 to your organization, contact IsecT Ltd. info@isect.com