Business Motivators
The client was the information security department of a large semi-governmental financial organization with presence throughout the country.

• The information security department wanted a third party validation of the information security services provided to the organization.
• An internationally recognized information security certification such as ISO 27001 would be compatible with the ISO9001 quality certification already held by the departmental security processes.

The Challenge
The information security department had very sophisticated and mature information security practices in existence.

• The challenge was formulating a scope around a business function that spanned the country in contrast to scoping specific information assets contained within a specific span of control such as a data center.

The Solution
With most documentation already in existence, the project was a scoping and mapping exercise between the existent defacto ISMS and the ISO 27001 requirements. Final documentation included:

• A scope document detailing the information security department functions and how they relate to the infrastructure.
• This clarified functional span of control.
• A ISO 27001 Statement of Applicability mapping controls to requirements for use in the formal certification and registration process.

The Result
The result of the project was:

• Certification and registration to the ISO 27001 information security management standard.
• Third party validation of the information security department practices.

Return to Case Study List

Note: HotSkills, Inc. launched Orange Parachute in 2007. This case study may predate the Orange Parachute name and launch, but the work was completed by the same consultancy.