Security Uplift for ISO 27001 Case Study
Helping Incentive FM Achieve Top Score in ISO 27001 Information Security Accreditation
IT managed services and security uplift for ISO 27001
Incentive FM Group had been utilising 848 IT managed services for nearly 2 years.
The business wanted to achieve the ISO 27001 information security certification and therefore needed a security uplift.
848 created a plan to achieve this without disrupting operations or end users.
They rolled out new processes and contract changes that would guarantee compliance and uplift security.
The team supported the client seamlessly through the audit process.
The client was awarded the ISO 27001 accreditation with a top tier score.
Achieving the accreditation has given the client a competitive edge and helped them to win a range of new opportunities.
Formed in 2001, Incentive FM Group is a leading facilities management company with over 3000 staff. They deliver professional facilities management services to 540 clients across the UK. Clients include household names Liverpool Victoria, Lloyds Pharmacy’s, Covent Garden and more.
Alongside full facilities management, Incentive FM has arms delivering specialist services such as fire and security, cleaning, consultancy, and carbon management. They take a fresh and dynamic approach to facilities management, underpinned by transparency, integrity, loyalty, and respect.
Incentive FM had noticed an increase in potential clients requesting that suppliers hold the ISO 27001: Information Security Management accreditation. ISO 27001 is recognised globally as the best practise framework for an Information Security Management System (ISMS). Being accredited showcases compliance with leading security standards in terms of managing data and information security.
Chris Woods, Systems and Project Manager at Incentive FM explained, “Within the facilities management sector, we see ISO 27001 becoming more of a requirement – from the clients we already look after, to in the contracts we’re looking to tender for. Organisation’s really just want peace of mind their data is being managed safely, and that they work with a partner who manages their own data safely too.”
The framework is considered best practise as it addresses people and processes as well as technology. However, tech is at the core. Chris said: “ISO 27001 doesn’t just concern IT, but also elements like employee behaviours. However, the IT side is really the main aspect, as that’s where a lot of data breaches and attacks take place with things such as malware and phishing emails.”
As the trusted IT partner to Incentive FM, the 848 Group was the first port of call for support in the audit process and obtaining the accreditation.
At the time of the ISO 27001 project, 848 had been managing and supporting all IT requirements for Incentive FM for just under 2 years. Incentive FM and 848 describe the relationship as a partnership as opposed to a traditional client-supplier relationship. Part of what makes the partnership work is that both businesses operate under similar values considering honesty, transparency, and integrity.
Alisha Henderson, Group Service Manager at Incentive FM said, “The team at 848 are an integral part of Incentive FM Group. We have an open and honest relationship with them, and this makes our partnership work really well.”
After discussing the goal of becoming accredited, 848 crafted a roadmap to guide Incentive FM through the entire audit process, underpinned by their proven plan, build, run methodology.
In the planning stage, the 848 managed services team assessed the accreditation criteria against the current IT provision and established any changes that needed to be made. A key aspect of the plan included the implementation of a security uplift within the existing managed services contract.
848 is Cyber Essentials certified and employ security experts who follow industry recognised approaches to security such as the zero–trust model. And so, the IT provision already adhered to leading security practises as outlined by Microsoft and the Centre of Internet Security (CIS).
However, to guarantee all criteria would be met – particularly in relation to end-user actions – they made several changes to the IT part of the security uplift to mitigate risks and non-compliance.
During the ‘build’ stage, 848 rolled out the new changes and procedures that would add an extra layer of security surrounding IT processes. The team ensured the changes would not negatively impact or interrupt business activities or end-users.
Changes included implementing enhanced encryption, Multi Factor Authentication, and new identity and authorisation policies across Outlook and Microsoft 365. This utilises elements such as sensitivity tagging and ‘Do Not Forward’ on email to prevent information falling into the hands of users who are not specified or are outside of the organisation. They also introduced more frequent in–depth service reporting across Azure, which enables them to continuously review, refine and optimise the security posture.
After rolling out the new changes, 848 seamlessly led the team throughout the audit, a critical stage in the project.
Chris explained, “As a partnership, it worked really well. There were a few things which came up such as processes that didn’t fit the criteria or needed amending to help us obtain the accreditation and 848 really pulled it out the bag. They made the changes to the contract that aligned with the ISO 27001 framework and they provided the documentation that demonstrated our compliance.”
848 was there to answer any questions, explain processes in detail, and provide the documentation to the auditors to display their expertise in line with security best practise.
The rigorous security practices and proactive support of 848 meant Incentive FM passed the audit with flying colours. The team clearly demonstrated compliance and a dedication to data protection across all IT and related processes to the auditors. This was yet another project success for the two businesses.
Incentive FM were not just awarded the accreditation but marked within the top 5% of those who have achieved it.
This achievement has and will continue to help Incentive FM be more successful in winning future business. It will also allow them to expand their target markets. ISO 27001 will mean they can more easily offer services in sectors such as banking or the financial sector, where data protection is paramount.
Alisha explained, “Security is so important to all organisations, but even more so in industries that deal with sensitive information. ISO 27001 allows us to approach a wider range of clients and be a leader in what we can offer.”
“When we go out to tender to businesses, whether it’s with the facilities management business, TEC or consultancy, they want suppliers who have a variety of ISO accreditations. Having this helps put us in the leading line with other suppliers, particularly as we’re one of the first to achieve ISO 27001.”
Chris said, “With the way the world is going there will be a more of these accreditation projects coming up and we’ll certainly be working together with 848 to reach these.”
The 848 team analysed the criteria of the accreditation against the existing managed services provision and created a security uplift plan.
They introduced new processes and adapted the IT support and services package, ensuring key staff clearly understood the changes. The team then led the client through the audit process with minimal hassle.
848 continue to run the client’s IT with exceptional customer service and customer service, supporting end-users with rapid problem resolution.