Information security risk management and ISO 27001 – an interview with James Ellis of Secure and Confidential Documents Ltd

James Ellis is an IT Developer in the electronic documents team and was part of the original team who implemented ISO 27001 in 2009 at Secure and Confidential Documents Ltd (SCD).

Who are Secure and Confidential Documents Ltd?

Secure and Confidential Documents Ltd are one of only a handful of companies in the country who provide data management, typesetting, proof reading, examination paper printing and digital print services in an ISO 27001 secure environment.

The drive for ISO 27001

SCD became aware of the ISO 27001 standard in 2009 and have held certification recurrently since 2010.

“SCD take customers’ security very seriously,” said James Ellis. “We follow a systematic approach to managing confidential or sensitive information so that it remains secure throughout (which means it is kept confidential, available and with its integrity intact). It encompasses our people, our processes and our IT systems.”

What does being ISO 27001 compliant mean to SCD?

“The security of printed and digital print client data is of utmost importance to us and our customers. With ISO 27001, our customers feel reassured that we have the infrastructure, procedures and systems in place to protect their data. The ISO 27001 standard means we are very proactive with audits and risk assessments which keeps us away from potential problems – we can produce evidence, procedures and policies for most scenarios and therefore our customers trust us.”

Manual methods vs. Software

“We had a few ISO 27001 committee meetings to start with where we tried to tackle risk assessments manually; those meetings were long winded and very confusing in the early implementation days,” explained James Ellis, “so we looked for an ISO 27001-compliant risk assessment tool. vsRisk was the first risk assessment product that we tried, we liked it straight away.”

Before using vsRisk, SCD had attempted to complete their information security risk assessments manually. “We had pens, paper and some Excel workbooks to start off with, it was very chaotic,” continued James Ellis.

“We asked a consultant who we had on site (from IT Governance) to show us the vsRisk application and we put a proposal forward to the board based on that experience. It was far easier than using Excel.”

“Compared to Excel, vsRisk has an easy to use interface. The assessment scales and the risk acceptance criteria are an easy to understand and visual way to present risks to the people. vsRisk is a great way to manage and report your risks and present the acceptance criteria to the board for eventual sign off. vsRisk comes with complete piece of mind, we used the technical support on offer and the support we received was great.”

Leave a Reply

Your email address will not be published. Required fields are marked *