Informed And Secure

20 September 2010

Costain has racked up what it believes to be another 'first' through achieving ISO 27001 status across the entire Group.

ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of an organisation's overall business risks.

Gaining the standard required months of work, says Tony Blanch, Business Improvement Director.

However, that effort means that both Costain personnel and clients can now be further assured that information held both electronically and on paper is secure.

Systems and procedures are now in place to protect the business against loss of information - either accidentally or through attacks by computer viruses and other means - says Blanch.

"It gives customers additional assurance about the security of any information they have given us, such as design information that they would not want to get into the wrong hands."

A multi-stage process was needed to attain ISO 27001 status.

"We started 12 months ago and during autumn 2009 did a 'gap analysis' where an external consultant came in to see what we needed to do. We already had lots of management systems in place that hold ISO standards, so we plugged any gaps and fitted into existing Implementing Best Practice procedures as necessary."

Some staff members were trained to carry out internal audits, then a 'mass awareness' exercise was rolled out across the business to ensure everyone was aware of ways in which information could leak from an organisation.

"It made us more aware of some of the things," says Blanch. "We've tightened up on the company's Information Communications Technology Acceptable Use Policy and what people can or can't use their computers for, particularly private use in office time." While Costain does not want to impose draconian restrictions on the personal use of computers, it does want to make people think of the potential risks of using unauthorised software, some external websites and social networking sites, and the storage of information on laptops and other portable devices, he adds.

While IT policies, procedures and controls are important, good information security management also involves people's behaviours, so a key aspect of the programme has been training for staff to maintain the 'human firewall' element of the system.

In May the BSi conducted a two-day assessment to check the Group's procedures complied with the ISO 27001 standards. This was followed in August by the full-scale, seven-day assessment to check staff were complying with these procedures.

The August assessment was exhaustive, with BSi personnel even clambering into rubbish skips to check that disposed-of documents had been correctly shredded. They also conducted more than 50 face-to-face interviews with personnel at seven office and project site locations across the UK.

Getting Costain into shape for ISO 27001 took "an awful lot of man-hours", says Blanch, but it has given the Group an enviable status. "We can't find anybody else in the construction sector who has got this." Some rivals have individual departments that have gained the accolade, but as far as both the BSi and we know, no company holds this across-the-board status.