How 4way Consulting Paved the Road to ISO 27001 Success

“The Assured Results Method guides you through the process, prioritises the document sets that you need to look at and helps you move in the right direction.”

Ian Pengelly Technical Director for Digital at 4way Consulting

Key Takeaways

Learn how 4way Consulting:

• Achieved ISO 27001 certification in 17 months without full-time internal resource
• Used the Assured Results Method to streamline compliance and certification
• Are implementing ISO 45001 and migrating ISO 9001 into the IO platform
• Built a bespoke approach to employee engagement and risk management.

About 4way Consulting

4way Consulting delivers specialist technology consultancy advice and support, improving the safety, reliability and accessibility of transport services in the UK. The business supports local and central governments in managing transport networks through the deployment of technology. The team of approximately 45 people is based mostly in Manchester and Birmingham.

The Challenge

The 4way Consulting team were looking to implement ISO 27001 for information security management to complement their existing ISO 9001 quality management certification. They were also considering ISO 45001 for health and safety (H&S) management, as the business had an existing H&S management system containing material from which they could build out their compliance.

As the business handled sensitive information, ISO 27001 certification was vital to show that 4way Consulting applied information security best practices. They needed a way to implement the standard strategically and save both time and resources.

“We needed to determine the most cost and time efficient way to achieve certification.”

Ian Pengelly Technical Director for Digital at 4way Consulting

One option Ian and the team considered was to build their information security management system (ISMS) from scratch.  An alternative was to adopt the SharePoint-based system that was being used by a sister company. Neither of these options offered the efficiency or centralisation the team were looking to achieve.

The Solution

“When we looked at the IO platform, we realised it actually provided a good way to accelerate the implementation by taking a lot of the base work out of what we needed to do, by having the core document set and a framework from which we could build out.”

Ian Pengelly Technical Director for Digital at 4way Consulting

The 4way Consulting team used the IO platform to implement ISO 27001 and are in the process of implementing ISO 45001, as well as migrating their existing ISO 9001 management work into the platform. The team used the 11-step Assured Results Method (ARM) to progress their ISO 27001 compliance, as well as tailoring the platform’s pre-built policy and control templates.

“The Assured Results Method guides you through the process, prioritises the document sets that you need to look at and helps you move in the right direction.”

Ian Pengelly Technical Director for Digital at 4way Consulting

The business also used the platform’s risk register feature to create a summary across ISO 27001, ISO 45001, and ISO 9001. They created a new cluster within the IO platform, linking this to their standards’ risk registers. This provided a consolidated risk register that could then be filtered down to the highest scoring risks and used as a corporate risk register, and allowed the management team to assess and address these risks more frequently.

The intuitive IO platform also supported the business in linking between their risks, assets and controls, providing clarity on how 4way Consulting managed risk in line with the standards’ requirements.

“Another feature we like is the ability to link between the assets, the risks and the controls, so you can see a clear linkage between where your vulnerabilities sit and how you’re controlling those within the business. It helps to tell a really strong story around why you do things and why you put the controls in place.”

Ian Pengelly Technical Director for Digital at 4way Consulting

In addition, employee awareness and engagement are crucial to continued compliance with ISO standards; 4way Consulting tailored their approach to employee learning based on their policies and procedures in the IO platform.

They shared their documentation with employees, who signed a confirmation familiarity document to verify they’d read and understood each document, whilst also allowing them to provide feedback on areas where they required additional clarification. This enabled them to log this feedback, update the documents and track versions within the IO platform, providing further evidence of employee engagement and supporting their certification.

“It was great to show the auditor that engagement – that we’d helped people to understand documents and taken on board their comments. With that feedback, we made it a better system.”

Ian Pengelly Technical Director for Digital at 4way Consulting

The business is also developing their learning management system (LMS) with interactive video content, which will enable further feedback, track employee engagement, and can be logged as evidence of compliance.

The Result

4way Consulting achieved ISO 27001 certification in 17 months, although the team estimate that this would have taken around 10 months with more resource availability.

Ian shares that the platform’s ease of use led to a streamlined auditing process:

“The auditing team were already familiar with the platform, they found it really easy to go in and interrogate our document sets and provide us with some useful feedback.”

Ian Pengelly Technical Director for Digital at 4way Consulting

ISO standards require continual improvement, so the team are focusing their efforts on refining their ISO 27001 compliance, undertaking regular reviews of risks and controls, and assessing the business’s risk register. The IO team are continuing to support 4way Consulting as Ian and the team mature their information security management system (ISMS) and look towards their next steps: additional ISO certifications.

“I think the IO team were as enthused about us using the platform as we were about using it ourselves. It felt like they had a level of investment in it, and the fact we’ve been able to celebrate success together has been incredibly positive.”

Ian Pengelly Technical Director for Digital at 4way Consulting

What’s Next?

Ian and the 4way Consulting team are continuing to implement ISO 45001 for health and safety management, which they expect to be a streamlined process because the business already has a strong approach to health and safety. They are also continuing to migrate their ISO 9001 quality management into the IO platform.

The team are also creating training videos with the help of the learning and development team to support the employee onboarding process, maintain existing employee awareness, and ensure suppliers align with 4way Consulting’s information security requirements.