What challenges were you and your team experiencing prior to working with us – what prompted you to seek a solution? As we run lotteries, there is a legal requirement that we hold a Gambling Commission licence. One of the conditions of the licence is that we have to undertake an annual audit to ensure that we meet The Gambling Commission’s Technical Standards. We are assessed against particular sections of ISO/IEC 27001:2013. It’s important to ensure that you have the best processes in place, the right documentation to support them and you are continually driving improvement. It’s not about box-ticking for us, it’s about doing it the right way.
How did you go about searching for the solution and services? We began our research on Google and identified four potential partners. We ran a mini-tender process based on cultural fit, service levels and value.
Please describe the reasons you decided to work with us. It was Evalian’s professional and friendly approach. Evalian® were focused on developing a long-term relationship and improving our ways of working. They weren’t interested in just getting us through an audit. This was key to us as cyber security is so important. If you get it wrong it can literally close your business.
Did you have any expectations going into the process? I’ve had some technical audit experience through tender processes in the past. We’ve been at the preferred supplier stage and have been sent auditors to ensure that we meet the necessary security requirements. It is something that is becoming increasingly common. I expected a fair but challenging dialogue with Evalian®. I found them to be collaborative and supportive throughout. It’s quite a difficult process to go through an audit of this type but Evalian’s team made it really straightforward. They were always on hand to help us.
Can you describe the process we took your business through and anything you learnt about your own business through working this way? Evalian® began with a gap analysis. We were fortunate to have already put most of the documentation in place. However, with Evalian’s help, we realised that there were areas where we could demonstrate improvement. The big learning for us was implementing monthly reviews. You need to be able to demonstrate that you have the policies, you’re following them, reviewing them and making necessary updates on an ongoing basis. It’s quite a commitment but it’s hugely important. When we have our next audit we will have the evidence to show that we are working in the right way. It’s been a transformative experience for us as a business.
Were there any challenges you found along the way and how did you feel we or your consultant, helped to support you through that? None of it was stressful thanks to the support we received from Evalian®. The gap analysis was straightforward, it was half a day’s work but it gives you a real picture of what you are doing correctly and where there is room to improve. The audit wasn’t stressful either. I felt sorry for the team conducting it though, four hours of asking questions! That said, it was conducted very professionally throughout. We did the prep work following the gap analysis and put quite a bit of time into creating the documentation. It’s important to ensure that you have version control so that every time these things are changed, they’re reviewed and updated.
What changes did you make as a result of working with us? The biggest challenge is post-audit. On the first Thursday of every month, we review our documentation and processes in detail. We check audit logs, ensure that all actions from the previous meeting have been completed and make any necessary changes to processes. Working with Evalian® has made us realise that we need to apply this methodology to other areas of our business too. As a direct result of the audit, we’ve put in place a separate monthly review to monitor our compliance with the Gambling Commission Licence Conditions and Codes of Practice. This is hugely important – it can impact our operating procedures, lottery rules and terms and conditions.
What has been the most significant achievement for your business facilitated by using our services?
Evalian® has helped give us the reassurance that we are doing things correctly. They are on hand to support us and provide any advice that we may need. We all know how serious a data breach can be, especially in a highly regulated area like ours. The team at Evalian® have given us confidence that we have a comprehensive range of procedures in place to minimise risk.
What impact has the results from working with us had on your clients/stakeholders? I think that it’s fairly unlikely that our clients will notice any difference which is a good thing. Behind the scenes, we’ve become more focussed on the threats that are out there. We have implemented policies that are reviewed continually to make everything safer for our clients, their supporters and for ourselves. Everything has been improved immeasurably.
What do you hope to achieve in your future working relationship with us? It feels like we’re going to have an ongoing relationship. We’re in the process of completing Cyber Essentials PLUS and I’m very keen to find a way of putting ISO 27001 in place. We will continue to have our annual audits but we are very happy with the way things have progressed with Evalian’s support.
Click here to learn more about our ISO and RTS consultancy services.