Law firm Irwin Mitchell has completed an 18-month project to attain BS7799 accreditation, enabling it to demonstrate compliance and quality throughout its IT department.
Irwin Mitchell works with insurance companies. A key driver for accreditation was the need to provide these partners with evidence of its data security policy.
Richard Hodkinson, IT and operations director at Irwin Mitchell, said, "We were being asked to produce reams of paper to provide evidence on data security. It is easier to say we are BS7799-accredited."
To achieve the certification, Irwin Mitchell had to adopt 127 controls specified under BS7799, covering areas such as data back-up, perimeter defence and a policy stating how patches should be applied. "You have to prove categorically that you can protect confidential information," said Hodkinson.
The standard covers non-IT issues such as having a clear-desk policy and the physical security of the building and server room.
Rather than let IT staff audit themselves, Hodkinson set up a team of four non-IT staff to manage BS7799 compliance. "The compliance team manages the audit and the IT teams produce the evidence," said Hodkinson.
To help with the auditing process, Hodkinson used the netSurity iQSM online auditing tool.