- Background
We know from recent headlines about the Ministry of Defence (MOD) and DropBox that holding large volumes of personal data is perilous. Moreso when we find out, in the case of the MOD, that the breach was with a third-party payroll company. This is one of the reasons why the Employee Benefits Collective (EBC) turned to Risk Evolves to guide them through ISO 27001 accreditation – the international standard for information security. - ClientEmployee Benefits Company
- CategoryISO Standards
- TagsISO Standards, ISO27001
- Websitehttps://www.ebc-llp.com/
The challenge
Because EBC provide corporates with employee benefits solutions they hold large volumes of data on behalf of their clients. On the one hand this presents a data security risk for EBC and their clients and on the other hand the absence of verified security measures is a barrier to winning new business.
EBC provide a niche service and operate on lean principles, so their own head count is low, consequently there is no dedicated IT or data security role. The challenge, therefore, was how to go about implementing certified data protection with such limited capacity to do so.
The solution
EBC have healthy relationships with other businesses in the employee benefits space. In consultation with one of their associates Risk Evolves were recommended as a consultant specialising in supporting business to navigate certification in ISO 27001.
With this recommendation corroborated by added value advice offered during initial engagements, EBC appointed Risk Evolves to guide them through ISO 27001.
"When we need to work on compliance again, there is no question, we will turn to Risk Evolves."
The process
With a history in compliance Naomi Saragoussi, Partner at EBC, was under no illusions about the time and effort that would be needed to successfully complete an ISO accreditation process. Naomi said “It took us a year, but I have to say progress with Risk Evolves was seamless. As was the way the work was passed between two people during a personnel change.”
Risk Evolves provided just the right balance of firmness and guidance. Pointing out what we really needed to address, whilst advising a lighter touch where the compliance was not as critical to our specific circumstances.”
Senior Consultant at Risk Evolves, John Basset declared how impressed he was with the level of engagement from EBC, “Naomi was enthusiastic and thorough throughout. Which meant we and they are proud to report that the only fly-in-the-ointment during the audit prior to accreditation was one OFI (Opportunity For Improvement) – where we would ordinarily expect several of these and at least one minor non-conformity.”
The Outcomes
EBC conducted training with their own team using content provided by Risk Evolves. Naomi Saragoussi was pleasantly surprised at the engagement of her team with the training, and thereafter in the cut and thrust of everyday business. “Our team have taken it really seriously and understand the importance of data security to our business, our clients’ businesses and to the data subjects whose data we hold. I get frequent enquiries about how to handle the storing and processing of data from members of the team. And I feel confident in knowing how to respond. On the odd occasion when I don’t, I know I can just pick up the phone to Risk Evolves.”
Achieving the standard has meant EBC have increased resilience to cyber-attack, are more prepared for new threats and have bolstered data integrity and confidentiality. This gives them greater confidence in handling client data and significant added credibility in winning new clients.
"When we need to work on compliance again, there is no question, we will turn to Risk Evolves."
