How 4way Consulting Paved the Road to ISO 27001 Success

4way Consulting delivers specialist technology consultancy advice and support, improving the safety, reliability and accessibility of transport services in the UK. The business supports local and central governments in managing transport networks through the deployment of technology. The team of approximately 45 people is based mostly in Manchester and Birmingham.

The 4way Consulting team were looking to implement ISO 27001 for information security management to complement their existing ISO 9001 quality management certification.

They were also considering ISO 45001 for health and safety (H&S) management, as the business had an existing H&S management system containing material from which they could build out their compliance.As the business handled sensitive information, ISO 27001 certification was vital to show that 4way Consulting applied information security best practices. They needed a way to implement the standard strategically and save both time and resources.

“We needed to determine the most cost and time efficient way to achieve certification,” said Ian Pengelly, Technical Director for Digital at 4way Consulting. One option Ian and the team considered was to build their information security management system (ISMS) from scratch. An alternative was to adopt the SharePoint-based system that was being used by a sister company. Neither of these options offered the efficiency or centralisation the team were looking to achieve.

The 4way Consulting team used the IO platform to implement ISO 27001 and are in the process of implementing ISO 45001, as well as migrating their existing ISO 9001 management work into the platform. 

The team used the 11-step Assured Results Method (ARM) to progress their ISO 27001 compliance, as well as tailoring the platform’s pre-built policy and control templates.

The business also used the platform’s risk register feature to create a summary across ISO 27001, ISO 45001, and ISO 9001. They created a new cluster within the IO platform, linking this to their standards’ risk registers. This provided a consolidated risk register that could then be filtered down to the highest scoring risks and used as a corporate risk register, and allowed the management team to assess and address these risks more frequently.

The intuitive IO platform also supported the business in linking between their risks, assets and controls, providing clarity on how 4way Consulting managed risk in line with the standards’ requirements.

In addition, employee awareness and engagement are crucial to continued compliance with ISO standards; 4way Consulting tailored their approach to employee learning based on their policies and procedures in the IO platform.

They shared their documentation with employees, who signed a confirmation familiarity document to verify they’d read and understood each document, whilst also allowing them to provide feedback on areas where they required additional clarification. This enabled them to log this feedback, update the documents and track versions within the IO platform, providing further evidence of employee engagement and supporting their certification.

The business is also developing their learning management system (LMS) with interactive video content, which will enable further feedback, track employee engagement, and can be logged as evidence of compliance.

4way Consulting achieved ISO 27001 certification in 17 months, although the team estimate that this would have taken around 10 months with more resource availability.

Ian shares that the platform’s ease of use led to a streamlined auditing process:

ISO standards require continual improvement, so the team are focusing their efforts on refining their ISO 27001 compliance, undertaking regular reviews of risks and controls, and assessing the business’s risk register. The IO team are continuing to support 4way Consulting as Ian and the team mature their information security management system (ISMS) and look towards their next steps: additional ISO certifications.

Ian and the 4way Consulting team are continuing to implement ISO 45001 for health and safety management.

They are also continuing to migrate their ISO 9001 quality management into the IO platform. The team are also creating training videos with the help of the learning and development team to support the employee onboarding process, maintain existing employee awareness, and ensure suppliers align with 4way Consulting’s information security requirements.