Specialist services and solutions for IT governance,

risk management, compliance and information security.

Case Study
Workforce Metrics achieves ISO27001
certification in only three months for under £5k!
When Workforce Metrics was founded by Andy Shettle in 2009, the company was
literally just him and his PC.

Andy knew that ISO27001 compliance was often a vital requirement -

particularly when tendering for contracts awarded by local government, the NHS
and the public sector - and the absence of this accreditation could have meant a
lot of wasted time completing additional forms and audits in order to win
business.

Workforce Metrics is a business which handles a huge amount of sensitive data,

such as detailed personnel records for its clients, and the reasons for such an
organisation having strong information security in place in today’s ‘cyber-
threatening’ environment are self-evident.

In addition to this, there are the statutory requirements of the Data Protection
Act 1998, which apply to all organisations and are often cited in public sector
tender documents and requests for proposals. These drivers, together with the
rising cost of security breaches in terms of fines, loss of reputation and the
impact on the confidence of stakeholders, means that there is a growing
requirement to provide supply chain assurance through UKAS-accredited
ISO27001 compliance certificates.

“My best advice to other SME’s that are seeking to comply

with ISO27001? Don’t agonise over how to do it or how long
it will take. Call in IT Governance and let the experts show
you how to achieve the best result. This will save you time
and money, and ensure the desired outcome: ISO27001
certification.”

Andy Shettle, Managing Director

BACKGROUND When Andy Shettle, managing director of Workforce Metrics, planned

for growth in his start-up software business, he was thinking big. His
client base consisted mostly of public sector organisations with over
750 employees on average. These organisations have mature HR

Draft Case Study – Workforce Metrics_v1_08112013 www.itgovernancegulf.com Page 1

Case Study Microbusiness achieves ISO 27001 certification in 3 months for <£5k!

departments that are required by law to manage policy compliance.

Therefore, Andy already understood the growing need to demonstrate
compliance when he started his software enterprise based in Redhill,
Surrey.

Established in 2009, Workforce Metrics is a specialist provider of

employee relations (ER) software to human resource professionals and
HR departments. ‘ER Tracker’ is designed to drive inefficiencies out of
managing ER cases where people-orientated processes are involved.
The company’s software can be deployed either on premises or in the
cloud, and provides visibility of information on dashboards.

With coaching and mentoring support from IT Governance, one of the

most experienced ISO27001 consultancy practices in the world today,
Andy has been able to demonstrate conclusively that SME businesses
with between one and ten employees can adopt ISO 27001
information security certification without restrictive paperwork.

REQUIREMENTS The main drivers for gaining ISO27001 certification were:

1) Partner assurance;

2) Differentiation: Workforce Metrics would gain an advantage over its

competitors, both by having certification and by publicising this fact;

3) Compliance with the requirements of an ever-growing number of

government and public sector prospective clients looking to make
efficiency savings around their employee relations caseload.

To quote Andy:

“Workforce Metrics came into existence to fulfil the growing

compliance needs of HR departments that were struggling to
implement new legislative requirements. As a business, we knew that
the problem of handling these changes effectively was down to
metrics: policy compliance meant having better data in the system.
This is particularly important for the requirements of workforce
monitoring as required under the UK Equality Act: Public Sector
Equality Duty.

“Policy compliance is a legal requirement for HR departments in the

public sector and that means processing and protecting a lot of highly-
sensitive and personally-identifiable data. For example, this could be
information on disciplinaries and grievances, which can be reported
against a person’s cultural background and sexual orientation or
gender, to see if the organisation is treating all employees equally.

“The requirement from our clients is to be secure and by planning and

implementing an ISO27001-compliant information security
management system (ISMS) we are able to offer complete confidence.
With cloud deployments increasing, prospective clients of Workforce
Metrics are seeking further assurances around IG and ISO27001 is an
internationally recognised standard, so it was vital that we had it.

Case Study – Workforce Metrics v1 08112013

www.itgovernancegulf.com Page 2
Case Study Microbusiness achieves ISO 27001 certification in 3 months for <£5k!

“While Workforce Metrics was acutely aware of the IG ISO27001

standard, we were keen to be led by the experts and so sought the
help of IT Governance. Having researched them extensively, I felt
very comfortable with their knowledge about ISO27001 when I spoke
to an account manager initially on the phone. This was later confirmed
by the expert attention that we received from our dedicated IT
Governance consultant.”

PROCESS Andy was impressed with the project support that he received from IT
Governance: “When I first met Steve [Watkins], I was unaware that
he had written several books on ISO27001. It was only later that I
realised why the advice that I had been given was so authoritative:
Steve is surely one of the most experienced consultants in this field.

“I had heard many stories from clients about how many years it could
take and the cost involved in achieving ISO27001 certification, and
there’s no doubt that some organisations could struggle, should they
be offered poor quality advice. We, on the other hand, achieved our
goal in four months by hiring IT Governance’s Mentor & Coach support
service!

“We focused on using Steve’s considerable skills to transfer to us the

knowledge that we needed to allow Workforce Metrics to run its ISMS
going forward. This ensured that we were able to speedily put in place
the implementation and ongoing management was as painless as
possible. Based on the Mentor & Coach support described in their
detailed proposal, the consultancy work estimated was an appropriate
level of investment for Workforce Metrics. Enough for us to obtain the
assistance that we required to embed an ISMS compliant to ISO
27001, measured in days rather than weeks or months of hire cost.

“It was a no-brainer to hire IT Governance to transfer the knowledge

that we needed to maintain our own ISMS. For us, this was cheaper
and easier than leaving the whole process to the consultants as some
organisations do. However, I can see why managers with little or no
experience of standards compliance would opt for the ISO27001
FastTrack™ option that IT Governance offers microbusinesses (19 or
fewer employees), whereby the responsibility for setting up the ISMS
is outsourced to IT Governance consultants. Likewise, I understand
why a Managed Service option, to maintain this going forward, would
be attractive to smaller enterprises. However, in Workforce Metrics’
particular situation, with our team’s highly-developed understanding
of compliance requirements for workforce legislation and international
standards, it made sense to develop the skillset to manage ISO27001
compliance internally.”

As part of the support, IT Governance trained Andy on a public ISMS

Lead Auditor course. Andy says: “I wanted to take the IT Governance
Lead Auditor course to understand the mind-set of a qualified
ISO27001 auditor. The training was interactive and gave me an
excellent insight into the processes involved. I would recommend the
IT Governance approach as you are trained by practicing information
security consultants who know what you need to do to comply with
the requirements of the standard.

“My experience of IT Governance was of an organisation that is easy

to work with and which can achieve results fast through their intensive

Case Study – Workforce Metrics v1 08112013

www.itgovernancegulf.com Page 3
Case Study Microbusiness achieves ISO 27001 certification in 3 months for <£5k!

training style and the invaluable experience of their consultants. When

the certification body assessor from The Audit People arrived for the
Stage One audit, I think that he was surprised that most of what was
needed was already in place. For example, we had our policies,
procedures and controls for file encryption and protection of
personally-identifiable confidential client data already in-place. Our
ISMS was also clearly, but succinctly, documented.

“Our consultant made sure that what we had in the ISMS was right for
our situation: enough to ensure that we complied, but not overkill for
a small firm. So many smaller organisations spend too long carrying
out risk assessments and creating unnecessary documentation that
they imagine (or are told) is a requirement of putting the ISMS
together. The object though is an ISO27001-compliant information
security management system, and that can be achieved in a way that
works for small businesses as well as larger companies. We received
only two recommendations for improvement during Stage 1, and by
the Stage 2 external Audit, our ISO27001 ISMS passed first time with
one minor non-conformance recorded that was easily addressed.”

OUTCOME Thanks to coaching and mentoring support from IT Governance,

Workforce Metrics passed their Second Stage audit conducted by The
Audit People, a UKAS-accredited certification body. As a result, they
were issued an ISO27001 certificate in November 2013, less than four
months after Andy engaged IT Governance.

In Andy’s words: “IT Governance helped us to pull the whole thing

together in much less time than we were led by some sources to
believe. I would recommend that if you want the result of UKAS-
accredited certification in a timely manner, you should consult IT
Governance first! By taking this route, we have gained valuable status
in our dealings with existing and prospective clients, and I am
confident that certification will help us to gain business by providing
the appropriate level of assurance.

“My best advice to other small businesses that are seeking to comply
with ISO 27001? Don’t agonise over how to do it or how long it will
take… call in IT Governance and let the ISO27001 experts show you
how to achieve the best result. This will save you time and money,
and ensure the desired outcome: ISO27001 accredited certification.”

Elaine Hanaghan, Director of UKAS-accredited certification body The

Audit People said: “It is important that every size of organisation,
large or small, endeavours to take Information Security seriously
especially with technology and regulatory requirements changing more
frequently than we care to imagine. It doesn’t have to be difficult to
comply with ISO/IEC 27001: in fact most organisations find that they
have already identified their information security risks and have the
majority of controls in place to manage the information security
requirements in relation to their own activities or processes. In terms
of auditing, Workforce Metrics was able to prove that it has a robust
and effective information security management system in place and it
took less than one month between the first and second stage audits to
become fully certified!”

Steve Watkins of IT Governance adds “It has been reassuring to know

that the test of applying years of experience implementing ISO27001

Case Study – Workforce Metrics v1 08112013

www.itgovernancegulf.com Page 4
Case Study Microbusiness achieves ISO 27001 certification in 3 months for <£5k!

compliant information security management systems into the smallest

of businesses - in a manner that really works for these companies -
has met with resounding success. Workforce Metrics now has a light-
touch, systematic approach to managing information security that
serves its business well and delivers the assurance that was required –
accredited certification to ISO27001.”

Just as we have helped Workforce Metrics to achieve ISO27001 compliance on time and
within budget, we can help you. Email us today at servicecentre@itgovernancegulf.com

About Workforce Metrics

Workforce Metrics is one of the UK’s fastest growing employee relations software
providers. With its highly configurable, web-based software solutions, Workforce
Metrics helps HR departments improve compliance and increase the visibility of
information within their organisations so that efficiencies and profitability are enhanced.

Workforce Metrics is the UK’s only provider of ‘ER Tracker’, a flexible and adaptable HR
software solution, designed to address and reduce the inefficiencies commonly
associated with employee relations cases. With a focus on diversity, fairness and
privacy, ER Tracker helps to ensure the equal treatment of all employees, in line with
all aspects of latest government legislation.

Navigate to Workforce Metrics’ range of products to find out more about ER Tracker:

Telephone: 01737 852 317 Email: info@workforcemetrics.co.uk

www.workforcemetrics.co.uk/home

About The Audit People

The Audit People are an ISO/IEC 27001:2005 UKAS accredited Certification Body. UKAS
accreditation means that The Audit People is a recognised certification body, and have
been able to demonstrate competence, impartiality and performance capability.

The Audit People are committed to ensure that a personal and impartial audit is
conducted by competent auditors and welcome enquiries and questions concerning the
audit and certification process.

Telephone: 0800 6123577 Email: audit@theauditpeople.com

www.theauditpeople.com

About IT Governance

IT Governance has substantial real-world experience in designing and implementing IT

Governance, Risk and Compliance-related management systems. Founded in 2002, we
are a professional services company with a wealth of consultancy skills that originally
focused on information security/cybersecurity standards, notably ISO27001. We have
an impressive track record of more than 120 consultancy clients successfully
certificated to ISO27001 alone.

We have since developed our offerings into various other management disciplines and
now provide a comprehensive single source of information, advice, books, toolkits,
software, consultancy and training for IT governance, risk management, compliance
and IT security testing.

E-mail: servicecentre@itgovernancegulf.com

Web: www.itgovernancegulf.com

Case Study – Workforce Metrics v1 08112013

www.itgovernancegulf.com Page 5
Case Study Microbusiness achieves ISO 27001 certification in 3 months for <£5k!

Case Study – Workforce Metrics v1 08112013

www.itgovernancegulf.com Page 6