ISO 27001: 2013 – Achieving a key contractual obligation for Community Rehabilitation Companies (CRC’s)

Few people in probation had heard about ISO 27001 before receiving their Community Rehabilitation Company (CRC) contract.  The standard is one of the mandatory obligations the new owners will need to deliver.  It’s the subject for our fourth of the five things a CRC needs to do well in future.

There are many contractual obligations that new owners need to deliver on but one that is likely to challenge is ISO 27001, especially the new 2013 variant which is far more focused on information management and leadership.  Some Trusts had been working towards the 2005 version of the standard however NOMS told them to stop early in the TR process.  Now they have to start all over again and time is of the essence to demonstrate confidence and assurance for partners and the commissioner.  Smart leaders will not wait for the new owners; even if those parents have achieved ISO 27001 accreditation, their scope and applicability will not reflect the work of probation.

If I were a CRC leader, especially a multi-trust CRC, I’d have the new standard at the heart of my organisation change process.  It would have an accredited approach to information risk management integrated in a lean delivery model, and avoid something being bolted on later that increases costs and compromises desired ways of working.  I’d also start on core operations and partner work, less so back office and support services per se just in case the new owners can embed that latter capability quickly.

Why has the government mandated ISO 27001 for CRCs?

It is a clever move by government.  The whole purpose of this standard is ensuring the integrity of how information is managed and addressing information security risks.  This is crucial in a complex CRC supply and service delivery chain.

With sensitive information like offender data flowing around and multiple parties involved in information transfer, the risk of something going wrong is huge.   Imagine the increased involvement of voluntary and other third sector providers in a new supply chain, along with lower levels of trust for statutory partners in police, health and other agencies.  ISO 27001 should give each of those stakeholders more confidence, and that builds trust, which helps lower cost and increase speed of delivery.  But first the CRC needs to achieve it, and may also require it of partners and suppliers to have greater assurance.

The role of the leader is crucial in ISO 27001 as the new 2013 standard looks for evidence that information security is at the heart of the organisation.  There are over 130 activities that need to be delivered and demonstrated to satisfy auditors so its no wonder that CRC’s have been given up to two years to achieve accreditation for the commissioner.

Partners however will want confidence and assurance from day one, yet such a significant standard will probably take CRC’s most of the two years to achieve it.  Smart leaders will therefore start now and look for new ways of working that enable them to get the core of their job done and have information security ‘built in’ to that work.  It should not be treated as an additional job to do. We can help with that as we already have the accreditation and it’s all delivered via pam in a digitally efficient, effective fashion.

Managing information risk is at the heart of the standard

Probation knows hows to manage offender risk well, and has been used to working to consistent standards for its approach to corporate risk too. Key to the new 2013 standard is the management of internal and external risks around information transfer.  Every probation customer used pam for its risk management, adopting our specialist tools that met NOMS PC02 2007 standards.  We have adapted that map and created a policy to meet the needs of the ISO 27001: 2013 requirements which include reflecting the impact where confidentiality, integrity and availability changes and other standard specific criteria.  In addition we have also developed an applicable legistation map and both of these will make the job much easier and keep the accreditor happy!  An extract from the 27001: 2013 map is shown below:

27001 risk map in pam

ISO 27001 impacts suppliers and other important relationships.

Whilst the standard explicitly sets out expectations for managing suppliers it is less clear about other important relationships.  It does however expect a clear understanding of all interested parties and all internal and external issues so this is going to be significant for probation with its statutory agency partner relationships.  And working in old paper and email, meeting based ways with fragmentation in the delivery system is going to be a massive risk for probation (and no doubt its suppliers who will also find themselves pushed by probation to achieve the standard, and other parts of government pushing agencies to achieve it too).

In summary: where pam can help you deliver 27001: 2013

I’m not going to write about the other 130 odd requirements, controls and policies here but we have already achieved ISO 27001 at Alliantist and know what it takes for success.  It won’t surprise readers to know we have achieved that with pam as our main digital delivery platform and pam enables effective delivery of many of the requirements, specifically those expressed in the image below:

Get in touch now to see how we can help on this subject and the other areas where the CRC needs to excel.

We won't share your details with anyone else.