Efficiencies Gained by ISO 27001 Implementation

Client: The client is a large midwestern healthcare plan provider. The company is subject to sixty-plus audits each year from regulators, customers and for industry-defined compliance requirements.

Project: Work with the client to implement ISO 27001 in their organization by modifying an already effective information security program to fit the information security management system (ISMS) framework.

Summary: The ISMS was operational and the organization was certified to ISO 27001 in eighteen months. With greater transparency into the information security organization, enhanced focus on risk management and a formalization of their governance model, the organization has seen significant gains in efficiencies in completing common governance tasks. For example, the time required for the organization to prepare and respond to an audit has been reduced from ten days to around four hours on average. The organization is now continuously audit ready.

Value-add: The organization has broadened and enhanced its information security risk management strategy from being purely technology-focused to providing a major source of input for the organization’s overall enterprise risk management strategy. Based on regular reporting of metrics and measures introduced as part of the ISMS implementation, executive leadership is better informed to make risk management decisions.