bss is the friendly voice behind many UK government and commercial telephone help and support lines including healthcare, the 2011 Census, HM Revenue and Customs and the BBC. They provide a reliable and secure service for both their clients and the people who call for support and advice. The former includes the UK government and commercial organisations.

What bss needed

Many clients who want to work with bss understandably want formal assurance that their information will be safe. bss had many practices and procedures to protect data, but wanted to achieve formal ISO/IEC 27001 certification. Doing this would improve their image as a trustworthy partner and create confidence showing clients and the

The challenge

Bss potentially works with every citizen in England, Wales and Northern Ireland. It has to safeguard all their information, be it tax return queries or their healthcare information. ISO/IEC 27001 is comprehensive in its coverage of information security issues and contains many control requirements, some extremely complex. Compliance is a far from trivial task, even for the most security conscious organisations. Full certification is even more daunting.

Our answer

Working with bss, we looked at the technical, physical, personnel and procedural issues from an information security perspective. After detailed discussions with bss about their business model and possible problem areas, we began to analyse the security risk to bss by assessing the many different threats and vulnerabilities. The next step was to design a security solution and help with its implementation. Once that was done, we tied it neatly together with business continuity management and auditing.

A success story

In June 2010 the bss UK telephone support service became certified to the ISO/IEC 27001 International Information Security Management standard. bss received ‘go-live’ on time with no outstanding security issues. The situation now is that bss has security at the level of the highest standards in the world. They believe that the formal certification is a powerful demonstration of their organisation’s commitment in managing information security. It is also a public statement of capability without revealing security processes or opening systems to second party audits. This gives them a head start over the competition and will help them win even more government work. After all, none of their competitors can offer clients the world’s highest security standards as part of business as usual.