At Wellcombe Group, we have always taken information security with the utmost seriousness. We recognise that we manage substantial volumes of sensitive data on behalf of regulated blue-chip clients operating in the City of London. This can range from details of how they are implementing transformation programmes to personal information concerning associates working on projects.
For this reason, we undertook the process of obtaining ISO 27001 certification for information security. This certification not only provides our clients with a robust level of confidence in our data handling practices but also offers us the benefit of independent, expert guidance on areas where improvements can be made.
The ISO/IEC 27001 standard enables organisations to establish an information security management system, implement a tailored risk management process, and adapt these as necessary to align with the organisation’s evolving size and needs.
We were delighted to achieve this accreditation successfully at our first attempt towards the end of 2023. Our Head of Operations, Danielle Leggatt, led the initiative, so we asked her to share her reflections on the experience and the lessons learned.
How did you find the process?
“We engaged an ISO consultancy to ensure that experienced professionals could provide impartial evaluations of our policies and procedures. Additionally, we brought in a full-time Operations Assistant, the wonderful Elle, who had prior experience in maintaining an ISO accreditation at another company. Her insights were invaluable to us.”
“Our journey commenced with a comprehensive risk assessment based on in-depth interviews with all department heads at Wellcombe Group. This process enabled us to establish a baseline and evaluate our overall approach to risk management.”
“The encouraging news was that our IT infrastructure was robust and sensible, and much of the way we naturally operate already ensured secure data handling. We have a high-quality training programme in place for data security, which all staff members must complete, and good practices are frequently modelled within the team. However, as is often the case in fast-growing organisations, we needed to improve our documentation processes.”
“Rather than outsourcing the drafting of policies, we developed them internally, ensuring they were realistic, practical, and aligned with our existing workflows, avoiding mere box-ticking exercises. We then collaborated with a SharePoint consultancy to create a policy hub, providing straightforward access for all staff members.”
What has been your proudest achievement?
“We had senior management’s full support from the outset, which made securing wider engagement easier than anticipated—albeit with a bit of encouragement. However, I am particularly proud that our team is unafraid to report suspected data breaches. Thankfully, such instances are very rare and often attributable to human error, such as inadvertently clicking on a suspect link in a spam email. Crucially, our team understands that we do not engage in blame games; instead, we focus on resolving issues constructively.”
Did you enjoy the process?
“I must admit that I genuinely enjoy process improvement, and I am particularly pleased with how our new policy hub has streamlined access to critical information. I am also enthusiastic about addressing our identified opportunities for improvement. None of these are critical, but they will enhance our processes. For example, we plan to implement asset labelling to ensure that when rolling out AI tools such as Microsoft Copilot, we do not inadvertently expose classified or confidential information.”
