Client: Confidential
Sector: Transport
Location: GCC
Background
The Entity is a joint venture company between two major transport companies, one in the GCC and another in Europe. The Entity was awarded the contract for Procurement, Operations & Maintenance of a big-ticket transport project for a major city in the GCC.
The Entity operates in 80 routes with 1,000 buses & 4,000+ employees.
As the entity has a good network with a large number of buses and employees, any disruption in its services would not have only been detrimental to the company’s reputation but could also result in a major transport service disruption. Therefore, the entity wanted to ensure the continuity and resilience of the bus network.
The Entity wanted to protect its business information and run the service smoothly and hence wanted to take advantage of securing its business by getting itself certified for an Information Security Management System (ISMS).
Though certification is not mandatory, the entity understood that getting certified would not only ensure the company secures its business information and protect it from disruption but there is also a potential of securing more projects as more companies would want to do business with the entity considering it is certified for Information Security Management Systems (ISMS).
Gorisco Solutions was engaged to help in not only ensuring business continuity but also helping them with the certification of ISMS. The solution included proper implementation of Information Security Management Systems (ISMS) ISO 27001:2013.
Our Approach:
The following major activities were executed by us:
Established the scope, the manual, and all the documentation and policies.
Emails and display screens were used to spread awareness among Entity users in terms of security.
The internal audit was completed in November 2022.
The Management Review Meeting (MRM) took place in December 2022.
The incident management process was initiated.
Visitor Management process was initiated in one of the Entity locations.
76% of internal audits findings were closed before the external audit
Induction training was initiated for new joiners.
Security clauses have been included in contracts with the Entity and its employees.
During the management review meeting, open risks were highlighted for prioritizing by the top management.
Gorisco mobilized its expert consultants to conduct activities as listed above. The Entity supported all the activities and provided valuable input. It was an interesting and challenging project that involved extensive discussions, brainstorming, meetings, and interviews with the entity to achieve the above-stated objectives.
The Positives
With the good support of the Entity, all activities were completed within aggressive timelines.
The Entity employees are adhering to published awareness mailers. For example, they are taking the awareness email seriously.
Some of the positives of the awareness emails are:
Locking work desktop system regularly i.e., whenever employees take a break from their desks, they are locking the systems on which they are operating.
Employees are displaying ID at the workplace.
3. The employees are now able to identify and escalate information security incidents in the organization courtesy of training provided by us.
Benefits & Values
ISMS implementation clearly and objectively showed the entity their compliance status and level of risks associated with each activity.
Identifying priority (high-risk) activities enabled the entity to refine its business strategies and channel resources to the areas of greatest need. These risks were managed through proper assessment and application of the mitigation plans.
The Implementation process helped the entity become more resilient and confident in its operations.
The ISMS implementation was foolproof as the entity achieved the certification for implementing ISO 27001:2013 with ZERO Major and ZERO Minor non-conformities. Only 3 OFIs (opportunities for improvement) were identified.
It was a cheerful and proud moment for all of us because our work was appreciated by the entity. This project gave us a lot of insight and experience in analysing business continuity and information security requirements in the transport domain.