The client is a leading provider of fulfilment, mailing and handling services for a wide range of blue chip clients, operating a site in the East of England, with a workforce of over 150 employees. They already held ISO 9001, ISO 14001 and ISO 27001, and we had assisted with their certification to ISO 22301.
The client had a well-established information security management system (ISMS), but were finding it difficult to operate and maintain the risk register. This register was a collection over over a dozen spreadsheets, and was asset-based, leading to a huge amount of complexity for the staff to be able to manage without consultancy support, particularly given the small size of the organisation.
Cambridge Risk Solutions adopted a simpler and more pragmatic approach to the risk assessment, considering the risk to business processes. The risk register that had been devised for business continuity was updated to include information security aspects, identifying the nature of each risk, and enabling the organisation to understand where a risk could impact more than one management system. The risk register was also updated to enable quality and environment risks to be added as the client moved towards updating their existing documentation in-line with updated standards.
For each risk, risk treatments were identified, where possible, and risk owners were identified. Additionally, risk controls were identified and the Statement of Applicability updated accordingly. Senior Management signed off acceptance of out-standing risks that needed to be tolerated, whether due to complexity, costs or just the very nature of the risk.
Cambridge Risk Solutions updated all Management System documentation to reflect the changes in the risk assessment and risk treatment processes, and gave training to the information security manager to ensure that the organisation had the competency to be able to take ownership of the process and documentation.
There were a number of benefits for the client:
- A single risk process and methodology that could be expanded out to other Management Systems;
- Greater standardisation of scoring risks due to the use of the same methodology and scales, thus enabling a better understanding of the risk landscape; and
- A simpler risk process that gave the client greater ownership of their risk process.