Issue 47 – March 2013
This case study first appeared in the International Organization for Standardization's (ISO) ISO Focus+ February 2013 and is summarised here with permission from ISO. It was written by Manabu Yamamoto, Managing Director of IIJ Exlayer, Europe and Prof Edward Humphreys, Convenor of the ISO/International Electrotechnical Commission (IEC) working group for information security Standards. The case study illustrates how ISO/IEC 27001 certification is proving popular among small and medium-sized enterprises (SMEs) in general, and IIJ Exlayer Europe in particular.
Act to prevent
IIJ Exlayer Europe's own management system is certified to ISO 9001 Quality management systems – Requirements and ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements, and also conforms to ISO 22301 Societal security – Business continuity management systems – Requirements. Its integrated management system (IMS) covers all three Standards.
The company believes that a management system is actually a management philosophy. Its directors have therefore wholeheartedly embraced the Deming principles of Plan-Do-Check-Act, including in all meetings of the Board.
IIJ Exlayer Europe has a paperless office.
The documented information required by the Standards is maintained in a database and presented to the reader via a browser interface. To do this the company uses IMSSmart technology and has embraced the IMS-Smart management system philosophy.
Part of this philosophy is a powerful scenario-based risk assessment/risk treatment method that analyses the likelihood of a quality, security, and disruptive event occurring, and its consequences. Since results are expressed in business terms, it is a useful management tool.
By regularly using IMS-Smart, IIJ Exlayer Europe's directors have taken ownership of the risk management problem and its solution. It is then a simple matter to accept responsibility, through the review and audit functions, of the check and act processes. This ensures that the management system delivers on their expectations.
A particular use of the IMS-Smart risk assessment/risk treatment method has been to identify and design IIJ Exlayer Europe's quality controls. Starting with the product life cycle, the directors identified what could go wrong and how it could be prevented, or otherwise detected in enough time to act to prevent an undesired consequence.
These quality controls are enforced through an in-house-developed workflow application called ExJob. From its inception as a customer enquiry, a project cannot be progressed to the next stage until the responsible manager, sales person, or engineer has performed the necessary work and obtained the necessary approvals. ExJob covers all marketing, sales, engineering, and support activities, including goods inwards and billing.
Staff competence and training is dealt with by an equally sophisticated in-house developed application called ExSas.
IIJ Exlayer Europe's directors first took an interest in management systems in 2003. At the time, particularly as a new company, they saw it as a means to gain credibility in the market and decided that a management system approach would be best. They started by buying an off-the-shelf management system for a few thousand pounds.
However, the directors realised that their products and services were actually outside the scope of their bought management system. They also had to review their strategy after the management system failed to deal with a major quality incident.
What they really needed was an integrated quality and information security management systems implementation based on ISO Standards that could be independently audited by a third party. This would demonstrate their quality and information security, validated by a certificate of conformity.
This new recognition led to a change of management system strategy in 2007, when they hired a consultancy and the managing director became a full-time member of the management system development team.
The ISO/IEC 27001 component of IIJ Exlayer Europe's new IMS was certified in 2008, and the ISO 9001 component in 2009. The company successfully underwent reassessments in August and December 2011.
IIJ Exlayer Europe enjoys an excellent working relationship with its chosen certification body. The directors look forward to the two surveillance audits each year, as they provide further opportunities to identify potential improvements.
IIJ Exlayer Europe's certified IMS has come a long way and will of course continue to develop. It has generated respect both in the market and with the management of IIJ Exlayer Europe's parent company.
For IIJ Exlayer Europe, ISO/IEC 27001 has provided:
- a framework for better overall company management
- a stronger customer focus, leading to the better exploitation of business opportunities
- sound risk management, particularly in the key area of information security
- greater security by ensuring thorough preparations for a disaster.
About IIJ Exlayer
IIJ Exlayer Europe Ltd is a Japanese information technology services provider based in London. Formed in 2001, the company provides project management services such as office relocation, system integration services such as the building of geographically dispersed international network systems, and on-site and remote support services.
In addition, IIJ Exlayer Europe provides a wide range of outsourcing and cloud-based services, and offers business and Web-based application development. Its consultancy services include assisting customers with achieving certification to ISO 9001 Quality management systems – Requirements and ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements.
Summarised from ISO Focus+, February 2013.
Note: You can order ISO Standards from www.standards.co.nz or call 0800 782 632 during business hours or email firstname.lastname@example.org. Members of Standards New Zealand receive a 20% discount on all NZS and AS/NZS Standards, and a 10% discount on all international Standards. Visit our membership page for more information.
- AS/NZS ISO 31000:2009 Risk management – Principles and guidelines