Helping People's Postcode Lottery earn the gold standard in data security

We'd been through the same journey ourselves, so we knew exactly where to start.

What we did

We ran workshops across every department to map the people, processes, and technology that keep PPL running. That gave us a clear picture of critical assets, key systems, and where the risks sat. From there, we built a prioritised risk treatment plan and got to work across three streams in parallel.

• People. We updated staff handbooks, designed a tailored security awareness programme, and set up a security forum to keep improvement ongoing. PPL's own team ran with it - custom coasters, postcard guides, colour coded templates. They made it their own.
• Process. We helped PPL build an Information Security Management System: one place for all relevant policies and procedures. Working across departments, we made processes more secure and, in many cases, more efficient.
• Technology. Working alongside PPL's IT team and developers, we reviewed key systems, implemented encryption, moved logging offsite, and made sure data would stay available even in a disaster scenario.

Finally, we trained PPL staff as internal auditors so they could keep the programme running without us.

The result

External auditors confirmed PPL met the full requirements of ISO 27001:2013. Every one of the 114 controls. Certified.

Players can be confident their data is protected. Regulators can see that security is taken seriously. And PPL now has a framework to manage new risks as the business grows - without needing to call us every time.

An unexpected bonus: colleagues flagged that cross-department collaboration improved significantly. The security programme gave teams a shared language and consistent processes for change management. Security and efficiency, together.

85% of our work comes from repeat business and referrals. Engagements like this one are why.