MBSL’s ISO 27001 Journey

Author – Karl Houghton, Director, MBSL

McNally Business Services Limited (“MBSL”) is a progressive chartered accountancy and

business services firm which provides added value to its clients through the wide range of
services it offers. Based in Classon House, Dundrum, Dublin, we specialise in small, medium
and large clients from different sectors that include Finance, Telecommunications,
Information Technology, PR/Marketing, Legal, Charity, Education, Semi-State and Owner
Managed.

Our outsourced offerings provide tailored solutions in:

• Management Information and Financial Reporting

• Payroll
• Company Secretarial Compliance
• Tax Planning and Wealth Management
• IT Consulting

MBSL has always embraced Information Technology and we see ourselves at the cutting
edge of IT implementation for accountants. We have a staff of 12 including an IT Manager
who administers all our IT systems and software. We have operated in a paperless
environment since 2008 and all members of staff have at least two monitors on their desk.

We are extremely client focused. One of our main areas of work is the provision of
outsourced accounting solutions. We decided to give our clients additional assurance as to
the controls in place safeguarding their information so we set upon the task of ascertaining
an internationally recognised standard, namely ISO27001 – Information Security
Management Systems.

An Information Security Management System (“ISMS”) is that part of the overall

management system, based on a business risk approach, to establish, implement, operate,
monitor, review, maintain and improve information security. The management system
includes organisational structure, planning activities, responsibilities, practices, procedures,
processes and resources.

The size of the task ahead of us was daunting; no other accountancy firm in Ireland had been
awarded this Certification.

We mapped out the main stages of the project that we would need to follow to reach our
goal, the main ones being:-

- Initial Training - Critical Path

- Setting Scope - Gap Analysis
 - Risk Assessment Report and - Statement of Applicability
Treatment Plan - Certification Audit
- Policies and Procedures
Documentation

Initial Training

ISO27001 – Information Security Management Systems is an information standard applying

to all forms of information. Given our heavy reliance on IT, it was obvious that we would
need an internal Project Team with a high level of IT knowledge to achieve our goal.

An ISMS Steering Committee was formed to run the project that consisted of our IT
Manager, and I (a Director). This mix ensured that we had the correct level of knowledge and
the skill base to implement the project. The addition of the Director also demonstrated the
sponsorship of the Board.

The ISMS Steering Committee then attended a two day training session with Certification
Europe that enabled us to compile a Critical Path for the achievement of the Certification.
The training session also gave the Project Team a valuable insight in exactly what was
involved and also the amount of work required to achieve our goal.

Setting Scope

The ISO27001 Standard is often implemented for a part of an organisation e.g. the IT
Department or Software Development Department. We wanted more. We considered
whether we could apply it to the whole organisation and everything that we did. This
approach was taken to give maximum assurance to clients. We defined our scope, and
settled on the following:-

The Company is committed to protecting its information and that of its clients. To achieve
this goal, the Company has implemented an Information Security Management System in
accordance with ISO 27001: 2005.

The Company’s Information Security Management System is applicable to all operations of

the business carried out at its Head Office at Classon House including the following:

• Outsourcing Accounting Services.

• Taxation and Company Secretarial Compliance Services.
• Tax Planning and Wealth Management Services.
• Consulting Services.
• Internal Information Technology Systems and Networks.
Critical Path

Our training had given us the knowledge required to identify all the key tasks and
requirements to achieve certification. We now considered them further and mapped them
out inserting key dates. We estimated that it would take approximately eighteen months to
achieve Certification.

It became apparent very quickly that there were two large parts of this project -The
Certification Project itself and also a project to document all of the organisation’s policies
and procedures.

Like every other accountancy firm of our size we had a myriad of policies and procedures but
not all of them were formally documented.

Gap Analysis

Before we could proceed any further we needed to know exactly how our existing controls,
policies and procedures measured up the the Standard. Certification Europe performed a
gap analysis for us and pointed us in the direction we needed to go. We received excellent
guidance on the requirements and modified our plan accordingly.

However, it was also clear that we were in unchartered waters as what we were doing had
not been achieved before in Ireland. We started to build up a unique practical knowledge
base on how you would implement ISO27001 in an accountancy firm.

Risk Assessment Report and Treatment Plan

A key part of any ISO27001 implementation is the Risk Assessment Report and Risk
Treatment Plan. We assessed a lot of the products available on the market to help with this
and other aspects of the implementation but we found that they did not suit our model and
therefore did not warrant an investment. It also became apparent very quickly that this was
one of the key areas in the project that would need to be considered very carefully to ensure
that our approach fitted our business model.

We initially identified and categorised all of our Information Assets and General Assets. We
then formulated a risk methodology. It was imperative that the risk methodology could be
applied to each vulnerability, threat and risk on a consistent basis.

Once we had determined our risk methodology, we built our key ISMS Spreadsheet using
Microsoft Excel. This contained a dedicated worksheet for our Information Assets Risk
Assessment Report and Risk Treatment Plan. Each information asset that we had identified
was logged in the spreadsheet and a risk assessment was carried out considering
vulnerabilities, threats, and the likelihood of it arising and how each risk should be treated.

The risk assessment took us a number of attempts to get right as we concluded that we were
replicating numerous risks that applied to multiple information assets. Once we had fine
tuned it we found that we had a robust model in which we could consider risks without
difficulty and we could update easily.

The risk register was formally discussed by the Board, who signed off on the Risk Treatment
Plan and also accepted the residual risk. We then implemented our Risk Treatment Plan
which brought a raft of additional controls into our organisation.

Statement of Applicability

ISO27001 requires a Statement of Applicability to be prepared that details whether each of

the ISO controls has been applied, or not applied, to the Information Security Management
System. It was necessary to show, by example, how each control had been applied in our
ISMS. There are one hundred and thirty three controls noted in the Standard, we found that
one hundred and thirty one of these controls were applicable to us.

The task of completing the Statement of Applicability was not too troublesome as we had
reviewed and developed additional controls during the work performed to date. The
preparation of the Statement of Applicability also acted as a control check on the work that
we had already completed and ensured that we had considered all aspects and
requirements of the Standard.

Policies and Procedures Documentation

The ISMS Project focused our thoughts onto the formal documentation maintained by our
organisation. The process drove us to formalise the following documentation:-

- Office Policies and Procedures

- IT Policies
- IT Procedures

The Office Policies and Procedures is a large comprehensive document which includes
sections on:-

- Personnel Policies and Procedures

- Company Financial Policies and Procedures
- Client Policies and Procedures
- General Office Policies and Procedures
- Information Security Management Systems
Considerable administration time was invested into the creation of a document that
addresses all aspects of our organisation.

Our IT Department prepared two documents, namely IT Policies and IT Procedures. This gave
a formal structure to their method of operation and now allows our IT function to be policy
driven. The IT Procedures are far more extensive than the IT Policies. In addition, all non-IT
staff have access to the IT Policies but they do not require access to the IT Procedures. These
documents also give a visibility to the internal workings of our IT Department that we did not
enjoy before.

This project also forced the IT Department to understand integration within the business and
also the inherent need to document policies and procedures.

Our Office Policies and Procedures also cover another aspect inherent to our ISMS, namely
Business Continuity Planning. ISO 27001 forces an organisation to consider and test their
Business Continuity Plan (“BCP”). At the time we were first addressing our own BCP, a Swine
Flu Pandemic appeared to be a risk that could crystallize so there was an urgency about this
task. It also allowed us to see how dependent we were on various aspects of the business
and what would happen if any of those were removed from the equation.

Certification Audit

Once our ISMS was formally approved by the Board and fully implemented, it was
independently audited against ISO27001. This exercise took the independent auditors three
days to complete. The first part took one day and dealt with the ISMS controls, policies and
procedures that we have in place. The second part took place four weeks later and focused
on testing the ISMS controls.

The implementation project was successful and we were granted certification under on 27
January 2010. The Certification is valid for three years and we are independently audited
against the standard every six months.

The Project took thirteen months to deliver, five months less than we had planned. This
saving was achieved through both the Commitment of the Project Team, who progressed
this Project side by side with their normal workload, and also the commitment of everyone
in the organisation who embraced the project and the new formalities it brought with it.
What we learned

Key points that we learned along the way:-

- Know where you are before you start and what the gap is that needs to be
overcome to achieve Certification.
- ISO27001 will not just require a formal Information Security Management
System it will also require additional formal documentation such as Office and IT
Policies and Procedures.
- Ensure the every member of the organisation has bought into the project. This
buy in must stem from the top down.
- The process can be accelerated – if you know the requirements and have access
to templates (both ISMS and Office) that can be modified to your organisation.
- The system is ever-evolving and must be updated regularly. We hold ISMS
Committee Meetings every two to three weeks.
- Develop a Risk Methodology that suits your organisation and can be applied
consistently.
- Develop an Information Classification Policy that suits your organisation.
- When it comes to Information Security, the more you know, the more you don’t
know. The controls, policies and procedures that we had at the start of the
Project have been completely overhauled and added to as areas of concerns
were identified.

Where to from here

MBSL intend to maintain and improve our high level of information security as our business
grows. We will lever our ISO27001 certification to attract fresh clients. We now offer an
ISO27001 ISMS Consultancy Service to help other accountancy, professional services and
legal firms achieve certification. The documentation bank that we have built up as part of
this exercise is easily tailored to the requirements of our clients.

We will continue to embrace Information Technology and use it as a tool to realise

efficiencies in our organisation and drive costs down for both our business and our clients
business.

About The Author

Karl Houghton is a Fellow of the Association of Chartered Certified Accountants and a

Director of MBSL. Karl has over twenty years experience working in practice and is the
Principle Director in the area of Projects, Secondments and Company Secretarial for MBSL.