Customer login

• Home
  • Login
• Company
  • About us
  • Latest
  • Blog
  • Method
  • Quality
  • Partners
  • Gov Procurement
• Services
  • Services overview
  • Solutions
  • Delivery
  • Deliverables
  • Products
• Customers
  • Customer service
  • Case studies
  • Testimonials
  • Customer list
• Resources
  • Knowledge base
  • Advice and guidance
  • Software
  • Standards
• Contact us
• Tel: +44 (0)20 7735 0030

You are here: Home » Services » Deliverables » Compliance

Information compliance audit

The relevant standards for information compliance include ISO27001 (information security), ISO15489 (records keeping), BIP 0008 (evidential weight of electronic information) and The National Archives guidance and requirements for records management.

The relevant legislation for information compliance includes the Data Protection Act and the Freedom of Information Act. (Information compliance aspects of the Local Government Acts may also be relevant to some clients.)

The relevant regulations include not only the data handling (‘Hannigan’) and information assurance (‘Coleman’) requirements, summarized as Cross Government Actions: Mandatory Minimum Measures, but also the Information Commissioner’s Office guide to privacy impact assessment, the Central Sponsor for Information Assurance policy on confidentiality impact management, the Manual of Protective Security and security notices, especially S(E)N 2007/04 (on the use of the PROTECT marking), and – for risk management in general – the Treasury ‘Orange Book’.

This regulatory environment covers information systems in the broad sense of the phrase, i.e. policies, processes, procedures, culture, equipment, facilities and technology.

The requirement for its assessment may be summarized to the following objectives:

• Set organization and information strategies
• Identify the procedures and practices in the client to which legislation and regulation (and, if relevant, standards) apply
• Appraise these procedures and practices against the compliance requirement
• Provide recommendations for remedying practices which are counter to compliance
• Outline a road map of the activities to implement the recommendations, prioritized by relative benefit and cost
• Define and document a process for monitoring and maintaining compliance in the future

Bramble.cc approach

We aim to reduce the risk to our clients of adverse operational and reputational damage through poor information handling or the inability to demonstrate good information handling.

The independence of our review is an essential component, providing external validation of existing practices and an unbiased assessment of any remedial activities and their relative benefits.

The review is complementary to our clients’ own, internal audits of their information assurance regime, not a replacement for them. It will, nevertheless, also provide an assessment of current practices and recommendations that might otherwise have followed from an internal audit.

For example, in the area of privacy impact assessment (PIA), our review will not undertake PIAs, but it will recommend on which information systems or assets such assessments should or should not be undertaken (if they have not already been).

Proven toolkit

Bramble.cc accelerates the review by drawing upon previous experience and existing material. Bramble.cc has developed a toolkit and supporting method to assess the criteria contained Cross Government Actions: Mandatory Minimum Measures, following the structure provided by The National Archives’ guidance Managing Information Risk, A guide for Accounting Officers, Board members and Senior Information Risk Owners.

Our toolkit identifies the evidence required to demonstrate compliance and cross-relates it to the criteria in a spreadsheet that facilitates collection of the evidence during the investigation step and automatically summarizes it in an immediately usable form.

An example summary chart is provided on the right.

Our method streamlines the process of gathering information and allows us rapidly to present the results – tailored and specific to the organization – in a meaningful breakdown.

We approach the work in three steps:

1 – Investigation

From an initial meeting (lasting approximately one hour) with each of the directorate heads (corporate services, delivery/regeneration and planning), we identify appropriate contacts (‘process owners’) for more detailed questioning and gain high-level evidence for the review. From process owners we gather the bulk of the evidence for compliance (in meetings lasting approximately two hours).

2 – Drafting

Analysis of the evidence collected in step one will enable us to identify significant findings and draw conclusions, from which we produce draft recommendations for remedial activities.

3 – Discussion and delivery

We discuss our findings, conclusions and recommendations with the work’s sponsor in order to agree priorities and sensitivities, and then finalize our report. We then offer this for final review and sign-off. We provide the spreadsheet of data on which it is based as an annex to the report.

Useful links

• Scoping study
• Business case justification
• Information architecture
• Healthcheck
• Product evaluation
• Information audit
• Risk analysis
• Compliance
• Information asset register
• Technology support
• Project management
• Benefits realisation
• Procurement

Company | Services | Customers | Resources | Contact us | Home | Site disclaimer | Privacy policy

© Bramble.cc Ltd, 2008 - 2011. Website design and development by e-Motive Media.