Helping a global client improve information security using ISO27001:2022

ISO27001 is widely regarded as the leading standard for information security in the digital age. In late 2022, an updated version was released: ISO27001:2022. It consolidated existing standards and provided a new controls framework to help organisations structure their information security management systems (ISMS) in the context of rapidly changing threats.

Mason Advisory has in-depth experience of applying ISO27001. So, when ISO27001:2022 was released, we leveraged the new standard to review our client’s current ISMS capabilities and create a roadmap for future IT controls, technology risk management, and business continuity.

Challenge

Our client has grown rapidly from a startup position, establishing a high degree of technical proficiency to support its work. But, in governance terms, maturity was lower. Our client also partners with key stakeholders for whom information security is a business-critical consideration.

In this context, our client faced a dual challenge: establishing an information security framework that will protect its Cloud-based operations, systems, and people, as well as aligning controls and standards between the organisation and its ISO27001-compliant partners.

Our client chose Mason Advisory to help them identify key information security vulnerabilities, design a target operating model to address these, and produce a roadmap to reach that target state.

Solution

Our consultants recommended using the ISO27001:2022 standard to guide our client through their ISMS maturity journey. We began by performing an in-depth health check of existing capabilities and quickly identified three key priorities: planning a robust ISMS maturity strategy, developing a technology risk management framework, and building out business continuity capabilities.

Working closely with our client’s Chief Technology, Information and Operating Officers, we mapped out an ISMS target state plus a delivery roadmap. The roadmap grouped ISO27001:2022’s requirements into a series of seven releases to ensure that delivery was structured and manageable within our client’s operating environment.

We then helped our client to create frameworks to address technology and business continuity risks. We produced a fully documented technology risk management procedure plus a business continuity planning process, all within the framework of ISO 27001:2022.

We delivered on our original commitment ahead of time. This allowed a contingency period which, with our client’s endorsement, we used to move into the second release phase.  We produced two additional deliverables – an incident management standard and a change management standard – adding value beyond the core scope of work. We also mobilised initial work to get our client started on the delivery path for releases three to five. We addressed key processes across people-related controls, supplier management, and recovery management.

As well as leveraging our expertise in ISO27001:2022, we also provided project management support, helping our client to onboard internal team members, and engage with wider stakeholders to embed project deliverables into Business as Usual (BaU) operations.

Outcome

At the end of this engagement, our client has a sound understanding of how to align to ISO27001:2022, a target operating model for information security, and a clear direction of travel organised into discrete stages. They have full visibility of where any information security gaps lie, plus a defined framework and tools to help them close those gaps. They are equipped to build rapidly on the work we have done with them and continue with their direction of travel in a logical, prioritised way.

Crucially, our client can move forward knowing that they have sound controls in place across their most business-critical areas of information security risk. They can continue to deliver their ISMS maturity roadmap, confident that their information security controls align with both best-practice standards, and with key partner compliance requirements.

If you would like to speak to one of our industry experts regarding this case study, email contact@masonadvisory.com. Find out more about our services.