Azets UK is a specialist accounting and business advisory firm providing locally delivered audit, payroll, corporate finance, tax and business advisory services from more than 70 offices across the UK. To demonstrate their commitment to information security to their current and potential future clients, Azets UK were looking for a cyber security partner to help them achieve ISO 27001 certification.
The Challenge
Across their wide office network in the UK, Azets UK has over 3,800 employees delivering everything from accounting to tax, audit, advisory and business services to over 80,000 clients and as part of the larger international Azets business works with colleagues in the Nordics and Europe.
Given the scale of their business, meeting all the specific controls outlined in ISO 27001 was no small task. Specifically, ISO 27001 demands complex documentation that can be difficult to produce with limited resources and time. Azets UK were also looking to engage a wider range of their senior stakeholders with their ISMS.
The Solution
To start Azets UK on their journey to certification, we first delivered an ISO 27001 gap analysis to identify any areas that would require improvement to pass an audit. This analysis was based on a series of detailed workshops conducted by our consultants with Azets UK key stakeholders, including their CEO, CTO, Director of Security, HR, and Procurement.
Through these workshops, we identified that while Azets UK was already mature in its approach to information security, they would need to make some changes to meet specific ISO controls. Additionally, many of their policies and procedures, while aligned with best practice, weren’t formalised and would benefit from formal documentation.
These findings were shared with Azets UK in a report, which led directly into a 12-month project where our consultants supported Azets UK in implementing the recommendations outlined in the report.
This implementation project consisted of:
- Incorporating Azets risk management framework into the ISO 27001 risk register
- Performing risk assessment workshops
- Drafting new policies, procedures and standards
- Supporting with the design and implementation of new and improved information security and data protection controls.
To assess how the project was going, we also developed KPIs to monitor and measure security performance throughout the duration of the project. This was further supported by the establishment of an Information Security Leadership Board (ISLB), which held monthly meetings to review how the project was progressing, keep stakeholders up to speed on the project, and clearly define their roles and responsibilities.
“Throughout the project, Bridewell were easy to work with and managed the project effectively. In particular, we benefitted from the weekly meetings they held with our control owners to review progress against our KPIs and assign tasks to ensure we kept on track to meet ISO 27001 standards by our deadline.”
The Results
Having implemented all the recommendations from the original gap analysis, Azets UK then undertook their ISO 27001 audit. The audit came back with no findings, which was a great result and a testament to the increased maturity of Azets’ ISMS.
“We had no findings in our ISO 27001 audit. They made the certification process straightforward, identifying areas where additional work was needed for the control objectives and what we needed to do to get there. The roadmap they provided, alongside their ways of working, provided a clear structure to the project and made it very manageable.”
In the future, as their ISMS continues to mature, we have already outlined a number of actions Azets UK can take to maintain their certification.
