Alan Calder on IT Governance, information security & ISO 27001

To help Human Resources and Training Managers get the most from their budgets we have introduced our new IT Governance Training Passports. In a single purchase, these allow organisations to acquire any combination of IT training, tools and support services from the most comprehensive one-stop shop on the Web. Discounts are offered on all chosen items, whether used immediately or at a future date, making them ideal for public and private sector organisations needing to purchase training ahead of their annual budget deadlines.

Training Passports are offered in three grades: Bronze (£5,000 + VAT), Silver (£10,000 + VAT) and Gold (£15,000 + VAT). Through IT Governance’s Training Gateway, Training Passport holders can access the Web’s widest range of accredited, professional IT training, which is available across the UK, and receive discounts of up to 30 percent:

* On every classroom course, including Basel II, BCM & BS25999, CISA, Cisco, CISM, CISSP, EC Ethical Hacking, HDI, ISO20000, ISO27001, ITILv2, ITILv3, ITIL bridging, Microsoft, MoR, MSP, Prince2 and Sarbanes Oxley.
* On every distance or e-learning course.
* On every exam guide, subject manual or other training material.

All bookings are made through IT Governance’s friendly and efficient team of training consultants, who can advise on how to get the maximum benefit from a Training Passport. Furthermore, these consultants can advise of additional late-booking discounts that IT Governance is often able to negotiate with training suppliers.

These discounts and the variety of options available allow HR and Training Managers to get the maximum value from their existing budgets. As purchasers receive just a single invoice for multiple courses and products, rather than needing internal expenditure approvals for each, this also saves significant administrative time and effort.

Although Training Passports enable courses to be purchased in advance, they offer flexibility, since delegates’ details need only be finalised at a later stage once the ideal course and location have been chosen. They also assure organisations of the most up-to-date training, as each Passport remains valid for all courses and products offered by IT Governance until it has been fully used.

Part of our business is advising companies that wish to become ISO27001 certificated and we are delighted that two clients recently passed their independent audits with flying colours. Gemserv is an independent consultancy in the energy sector while Easynet is a network management and hosting company owned by BSkyB. In each case we worked with them to scope and set the critical path for their compliance project, provide the necessary training for their in-house project team and then act as on-call coach throughout their risk assessment, risk treatment and pre-audit phases.

From working with various firms we have identified the several factors that determine how quickly they will succeed in achieving ISO27001 compliance. To any organisation about to embark on this process we make the following strong recommendations:

1. Get senior management buy-in from the outset – if you don’t, you won’t get the money, time and resources you need and will find it harder to get other colleagues to play their part.
2. Establish a project board, including a senior sponsor and a well qualified project manager, and a motivated project team to run the process day-to-day.
3. Choose and use a good project management methodology – the compliance process reaches right through the organisation and has many interlocking parts; if you don’t keep a tight grip it can quickly slip out of your control.
4. Communicate and train at every level – not only does your project team need to be given the skills and knowledge for their task, but all your other colleagues need to understand what is being delivered and why. If not, your work may quickly unravel.
5. Lastly, recognize that there is no end point to the project – becoming certificated is just the start; you have to make the information security management system an ongoing part of your business and broadcast this message consistently from the start.

According to a new study of 500 IT and HR professionals, 45 percent of businesses fail to train staff in handling sensitive corporate data, and 46 percent have no plans to introduce such training. With Marks & Spencer providing the latest proof of how easily personal records can fall into the wrong hands, I can only hope that this survey is unrepresentative. At IT Governance, we stress at all times the vital importance of internal communications and training as vital weapons in safeguarding information assets. To think security can be achieved without this is self-deluding.