People’s Postcode Lottery (PPL) run charitable lotteries to raise money for good causes. To date they have raised in excess of £190 million for over 2,800 different charities.
Due to the nature of their business, PPL are required to abide by the regulations outlined by the Gambling Commission. These regulations extend to ensuring that appropriate security controls are in place to protect players of the lottery. However, to provide greater reassurance to players and regulatory bodies, PPL decided to go for gold by signing up for ISO 27001:2013 certification.
ISO 27001:2013 certification is considered to be the gold standard when it comes to information security best practice. While the Gambling Commission currently requires operators to implement 46 of the security controls outlined within this standard, PPL set out to implement all 114 controls and meet all the requirements of the standard. In doing so, PPL have shown their commitment to protecting the data entrusted to them by players and established their position as a champion of security best practice within their sector.
With 114 controls to implement, the first challenge is knowing where to start. Having been through our own ISO 27001:2013 journey we were able to help them put a plan and structure in place to ensure they met the necessary requirements on time and on budget.
First we designed a programme as to how we would achieve certification, which had 5 simple stages. Step 1 was to work out where they currently were.
To get the full picture we completed a workshop with every department in the business to understand all the critical people, processes and technologies which allow the business to operate.
The outcome of the workshops provided us with a list of critical assets, key systems and important information from all across the business. We then worked with all the PPL stakeholders to identify potential risks and, drawing on our knowledge of security best practice, opportunities for improvement as part of an official risk assessment. A few weeks later we had a “risk treatment plan” which set out a list of prioritised tasks and projects to further improve security across the three key areas of people, process and technology.
Armed with the plan we set about the three parallel streams of People, Process and Technology (Steps 2, 3 and 4):
The “People” stream was focussed on training and awareness – bringing some improvements to existing staff handbooks and designing a tailored security programme to help teams remember the security fundamentals in the everyday. With the help of the creative heads in PPL no sooner had we said “remember to lock your screen” than we were awash with custom drinks mats, postcard guides and colour coded document templates that were used to help deliver clear security messages.
We also set up a “security forum” in the business, which acted as a hub for the teams to provide feedback on changes and raise opportunities for improvement. Finally we put in place regular “management reviews” to ensure that regular security briefings were provided, strategic decisions could be made effectively and direction was provided from senior management.
The “Process” stream was centred on documenting security policies and procedures right across the business. Using existing documentation, we worked with our PPL partners to establish what the ISO standard calls an “information security management system” where all relevant documentation is gathered into one place, helping to make security part of everyday operations.
To ensure business processes were repeatable and the associated risks were understood, we completed a number of workshops with PPL stakeholders. This involved collaboration from multiple departments across PPL and led to us identifying ways to make the process even more efficient as well as more secure.
The “Technology” stream worked closed with PPL’s IT team and software developers to create a “service catalogue” of key systems and their owners. In our review of these systems we considered how information was protected and identified ways to reduce the risk of this data being compromised. We then worked closely with PPL and our technology specialists to implement a number of improvements such as protecting logging information offsite, implementing encryption technologies and identifying ways to ensure data would always be available securely even in the event of a “disaster scenario” such as loss of power which would force relocation to an alternate site.
Once we had covered all the areas outlined in the ISO 27001:2013 standards we set about the final stage of the journey “Review and Improve” (Step 5). We trained a team of PPL staff to be internal auditors able to review the effectiveness of the security processes and systems across the business. Compiled audit reports were reviewed within the Security Forum and actions taken to further improve the effectiveness of security processes across the business. PPL were committed to living and breathing security best practice across their business and not just simply seeing ISO 27001:2013 certification as a tick box process. The review stage was a key part of maintaining the momentum and driving further improvements across the business.
Using the tried and tested cycle of Plan-Do-Check-Act to structure the security programme we had successfully implemented all the required controls outlined by the international standard for data security. In December 2016 and January 2017 PPL invited external auditors to independently assess their new Information Security Management System and it was confirmed that it met the requirements of the standard. Therefore PPL have now been successfully accredited with the much sought after ISO 27001:2013 certification!
PPL are now able to provide assurance to their players and regulatory bodies that security has always been and remains a priority for their organisation. Players of the People’s Postcode Lottery can be reassured that any potential risks to their data are continuously under review and steps taken to protect it using the latest technologies and best practice security processes.
An added and unexpected bonus is that PPL colleagues have also highlighted that collaboration between departments is much improved. The security programme has helped to agree standard processes for change management within the organisation, for example, which is now followed consistently. In addition, the regular Security Forms provide a focal point for improvements to cross department processes, improving efficiency as well as increasing security.
We have also worked closely with PPL colleagues to transfer knowledge and skills which will allow them to effectively run their Information Security Management System without external support. Undoubtedly, as the business continues to grow, new challenges will arise, however PPL now have a framework in place to manage and mitigate new risks and are now well equipped to ensure that the information they handle is protected from the evolving landscape of threats, and provide confidence to both players and regulators, as they continue in their quest to raise even more money for good causes.
Following our ISO 27001 certification we can now send a clear message to both players and regulatory bodies alike that security is of paramount importance to our organisation
Finally this engagement has also shown that ISO 27001:2013 is not an impossible task, but an initiative which can be used to drive improvement right across the business and deliver real value. We were able to work with PPL to ensure that operational effectiveness and the cultural values, which make them who they are, were never compromised by introducing red tape or bureaucracy. As in all our work, we used a pragmatic approach to tailor the standard to meet the needs of their business which allowed them to achieve the Gold Standard in data security.