During the presentation of their ISO 27001 Certificate we had a chance to speak to Jerry Horan and Helena McGarr from LCMS Ltd, an ISO 27001 client of ours who are joining the ever growing list of companies that are looking to secure their information and data.
Okay so why don’t you give me a little bit of background about LCMS Ltd. and why did you get ISO certification?
Helena: We are a credit management company based in Naas and we deal with a lot work for SME’s and public bodies such as Local Authorities and the Hospitals. We have found that in order to win contracts with those bodies, an externally audited standard such as ISO 27001 is becoming a necessity.
Was this the only reason, had you been aware of an ISO standard before you had gone for these tenders?
Jerry: The decision to seek certification to the standard was taken initially when we were offered a contract subject to the proviso that we sign up for the certification process. We signed the contract and as we learned more about what was involved, we could see that it was something that would be of benefit to the company from a management perspective and so we sent some staff for training on the implementation and auditing of the standard.
Helena: We really saw it as an opportunity to implement changes which we considered necessary. While the standard is focussed on information security, it is also a management system and we took the opportunity to change our management structure as well as improving our information security during the process.
Can you give us a little bit of back ground about this contract?
Jerry: The contract was to recover all debts for a large hospital and the hospital placed the requirement for achieving the standard within the context of their Data Protection Act obligations.
Do you feel that apart from allowing you to tender for more business it has improved your business processes?
Jerry: Yes. Many aspects of the standard are focussed on process and that can be applied right across the business. The risk assessment is also a valuable exercise. We found that proper training and supervision helped to eliminate information security incident arising from human error and now we can concentrate on the technical aspects.
Helena: I am happy that the management structure we have put in place meets best practice and there is a heightened awareness of information security and specifically the requirement to keep the personal data of our clients secure.
Do you see yourself expanding based on your ISO certification?
Jerry: Before we achieved certification to ISO 27001, most of our sales were achieved by making direct approaches to businesses and public bodies. It does appear that the environment is changing and in future most of the big contracts will be put out to tender. We feel that having the ISO gives us an advantage in seeking to win those tenders. In fact, without it, we probably would not get passed the first stage of the tender process.
The certification also provides reassurance to private companies and it meets concerns they might have around data security.
How do you make sure all your staff comply with the requirements of the standard. How did you create a culture of information security?
Jerry: The requirement to train staff is part of the implementation process and there was a very positive response from staff. The standard doesn’t place a very heavy burden on staff – in fact most of the things they are required to do are common sense measures to protect data security that they will be familiar with from having on-line banking. We made sure that we brought people in key positions onto the implementation team and got them to buy into the culture of information security. Once they were on board, the process ran smoothly and a culture of information security came naturally within the organisation.
With hacking become more and more prevalent in society do you feel protected or secure with your certification?
Jerry: I am not technically qualified to access how well protected we are against hackers – we left that to the technical people and we dealt with issues which arose during the external audits. I suppose it’s fair to say that LCMS is unlikely to be a major target for hackers, so we trust our IT support team to provide us with the appropriate protections and we are meeting international best practice.
Helena: One of the people who was on the training course for the ISO with us came from an IT background and we brought him on board because of his knowledge of both IT and the ISO. That made life much easier for us because he know exactly what was required and we trusted his judgement.
Now that you have seen the benefits of an ISO certification would you choose to work with certified businesses in future?
Helena: Yes. I think that we would have confidence that they take the issue of information security seriously and come at it from the same angle.
You mentioned that attended ISO 27001 training, Do you think that this benefitted you before you went for ISO 27001 certification?
Helena: Hugely, I don’t think you could get through it without the training and I think the way that Certification Europe delivered it was brilliant.
Jerry: We could have brought in consultants but we decided that we would go for the training and I think that it was the better approach to take. It helped to control our costs and we knew then that we would be working with the Info Security systems that we would develop internally.
Helena: I think Certification Europe went above and beyond that was expected. Any questions we had were explained, simply so it was very easy to understand for non-technical staff. Certification Europe was very, very easy to deal with. Certification Europe also made it very easy to get any questions answered with regards to the implementation or the audits that we were doing.
In the beginning when we started off we were terrified what we would have to do or what we would come up against in the company and even the audits but as we went on the training courses it brought us to the belief that it is in our benefit, we were not afraid any more, we knew what we had to do.
So we went back and implemented the system and we were not even afraid during the audits because we took it as an opportunity to implement the proper procedures or the proper changes. All the staff saw it as a huge benefit, there was no resistance to the implementation. The way we explained it to our staff was that they could put it on their CVs, “you were involved in the implementation of an ISO 27001 standard in this business”, our Information Security team were hugely appreciative that they were asked to be involved.
Helena: Even since we have achieved the ISO 27001 we have now discussed going for ISO 9001 quality management.
Company Profile – Certification Europe
Certification Europe is an accredited certification body which provides International Organization for Standardization (ISO) management system certification and inspection services to organisations globally.
ISO Standards provide a recognised framework to achieve best practice management. Certification Europe can certify your organisation to Quality (ISO 9001), Environmental (ISO 14001), Health & Safety (OHSAS 18001), Energy (ISO 50001), Sustainable Event Management (ISO 20121), Business Continuity (ISO 22301), IT Service Management (ISO 20000) and Information Security Management (ISO 27001).
The company currently assesses over three thousand organisations internationally on an annual basis. Clients range from micro enterprise to multinationals and include Government Departments, State Bodies and private organisations. Head quartered in Dublin, Ireland, Certification Europe has additional operations in the United Kingdom, Italy, Turkey and Japan.
Company Profile – Legal & Credit Management Services
LCMS Ltd is an indigenous Irish company which provides credit management and debt resolution services to small, medium and large, private organisations and public bodies including hospitals, local authorities and universities. The company can guarantee that within 30 days of receiving a block of debt, a substantial percentage of those debts will be paid and the client will receive a professional recovery report with supporting evidence. It is a member of the Irish Institute of Credit Management and the UK Credit Services Association, and is certified compliant to ISO 27001 which is a recognised framework in Information Security Management best practice. Their website is www.lcms.ie.