Law firm Irwin Mitchell has completed an 18-month
project to attain BS7799 accreditation, enabling it to demonstrate
compliance and quality throughout its IT department.
Irwin Mitchell works with insurance companies. A key driver for
accreditation was the need to provide these partners with evidence
of its data security policy.
Richard Hodkinson, IT and operations director at Irwin Mitchell,
said, "We were being asked to produce reams of paper to provide
evidence on data security. It is easier to say we are
BS7799-accredited."
To achieve the certification, Irwin Mitchell had to adopt 127
controls specified under BS7799, covering areas such as data
back-up, perimeter defence and a policy stating how patches should
be applied. "You have to prove categorically that you can protect
confidential information," said Hodkinson.
The standard covers non-IT issues such as having a clear-desk
policy and the physical security of the building and server
room.
Rather than let IT staff audit themselves, Hodkinson set up a
team of four non-IT staff to manage BS7799 compliance. "The
compliance team manages the audit and the IT teams produce the
evidence," said Hodkinson.
To help with the auditing process, Hodkinson used the netSurity
iQSM online auditing tool.