Getting Information Security Right – Blog
Brian Dunn – Managing Director of SVM Europe wanted to share this case study by the standards institution BSI on SVM getting ISO 27001
SVM Europe is sister company to the leading gift card provider SVM LP, based in the US. It provides companies with prepaid solutions to reward and motivate staff, and as part of marketing and promotional activities. Its products include gift cards, vouchers, e-codes, flexible reward codes and voluntary benefit landing pages, as part of a broader benefit scheme.
SVM Europe works with major retail brands in the UK and Europe either on a pure re-sale basis or full programme management of its gift cards, vouchers and e-code products.
SVM has rapidly expanded over recent years and has ambitious growth targets. The business’s core values – stability, trust, respect, integrity and passion – provide a solid foundation for this growth.
As SVM has moved from a small business to a larger global operation, it needed a more formal structure but also wanted to ensure that core company values remained central to its operations, and that the small business culture was not lost.
Brian Dunne, Managing Director explains, “We felt that ISO/IEC 27001 and also ISO 9001 for quality management would really help us put more structure in place. Taking a standards-based approach to information security has changed the way we work as an organization, supporting our business growth whilst allowing us to keep our core values”.
Another key driver for certification was protecting the money being added to gift cards from internal and external fraud. Also SVM found that more and more tenders for government contracts required ISO/IEC 27001, making certification fundamental to winning new business and driving growth.
Implementing ISO/IEC 27001 has had greater impact than SVM initially expected.
“Our perception upon starting this journey was that ISO/IEC 27001 would be purely about security; however, what we have found is that it is a lifestyle. It really has affected everything we do and how we do it” explained Sarah Wild, Operations Manager. All of SVM Europe’s departments are now aligned and managed correctly, rather than on an ad-hoc basis. And as a result of its certification SVM has been able to get some great PR coverage, improving its business reputation.
Benefits it has experienced include:
- less downtime
- stronger organizational structure
- improved ability to win tenders
- greater confidence in information security processes
SVM has also progressed from not even having a risk register, to having a system to identify and manage information risk across the organization.
SVM Europe took a year to implement its information security management system (ISMS). An initial gap analysis undertaken
by the company revealed that it already had half the requirements in place for a compliant ISO/IEC 27001 ISMS. To progress towards a fully compliant system, a member of senior management championed the project, co-ordinating the process from the top-down with the support of a team to implement the plans.
The biggest challenges SVM Europe faced during the implementation process were the requirements enhancing its IT infrastructure and the formalization of a data management policy. This required adjustments in the way SVM Europe works, including changes to the way information and emails are sent, particularly impacting remote users and sales teams. These challenges were addressed by ensuring the benefits were communicated across the business and through early engagement with the relevant people, whilst also developing the policies and stress testing scenarios.
To assist with the implementation of its system, BSI trained critical SVM team members to become proficient internal auditors. BSI also carried out a gap analysis day, which along with the stage 1 audit, proved particularly valuable in identifying gaps in the system and allowing improvements to be made prior to the third- party audit. All staff from senior management to operational and support staff participated in training sessions and presentations to ensure full understanding and engagement across the business.SVM Europe is now working to clear policies and procedures with clearly defined roles and responsibilities. It is also embarking on adopting Prince 2 methodology into project work, which fits with its ISO implementation.
BSI’s role Once SVM Europe decidedto certify to ISO/IEC 27001, BSI was the natural choice. Angela Webster, Marketing and Strategic Projects Director comments, “We were familiar with the BSI certification mark and were advised by an external consultant that BSI was a good choice for certification. And the fact we could use the BSI certification mark to reassure customers was a double advantage.”Angela comments “BSI was great throughout the process. The feedback provided from the gap analysis and stage 1 audits proved especially useful. We also took great learnings from the internal audit training.”