Acuity Group delivers the needs of their clients with passion and commitment to excellence, respecting the confidentiality and obligations to transition the business, along with the needs and expectations of their clients’ clients. Delivering compliance and certification to International Standards Organisation (ISO) and industry best practices/ regulations, is an essential element of meeting the level of trust our clients’ expect.
A leading provider of outsourced call-centres, operating from <200 locations in 25 countries and employing >57,000 staff.
Approximately 600 significant clients, with the top 20 representing a significant proportion of revenue
A single large technology company was being serviced from 20 locations, with an annual spend of circa $30 million. The client dictated that all their businesses had to be certified to ISO 27001 for Information Security management before renewal of the annual contract.
In addition, another large-scale electronics manufacturing company required compliance to Corporate Social Responsibility (CSR) Standards as required by the Electrical Industry Code of Conduct (EICC)
For the first client, Acuity implemented an integrated management system for ISO 27001 (Information Security) together with ISO 9001 (Quality) for the 20 locations in scope. This addressed the requirements of the specific client, but the certificate scope encompassed all 90 clients supported from the 20 call-centre locations. This was achieved in 9 months, implemented using the Acuity IMS methodology pack. In parallel, Acuity also implemented an enterprise Governance Risk and Compliance (GRC) automation tool, to enable deployment and measurement of compliance systems to all locations globally. The client company was successfully retained for contract renewal.
Subsequently the IMS methodology was targeted to be expanded from 20 locations to 120+
The CSR programme was focused on the client operations supported from Brazil and was subsequently adopted as a model of good practice for all EICC members, with specific endorsement from Hewlett Packard and Dell Computers.
A global Law Firm, headquartered in the UK wished to implement a comprehensive management solution for Data Privacy,
The core objective was to meet the requirements of the EU General Data Protection Regulation (GDPR) to be enforced from May 2018. To achieve this, it was necessary to first build a management framework for Information Security, and Business Continuity, both stated as fundamental building blocks to achieve compliance to GDPR.
Acuity implemented its Integrated Management System (IMS) methodology to support ISO 27001 (Information Security Management System), and ISO 22301 (Business Continuity Management System).
GDPR dictates that all business & IT systems subject to a Privacy Impact Assessment (PIA) to determine the presence, purpose and legal basis for processing of personal date, and thereby build an asset inventory of personal identifiable data (PID). Acuity worked with the client’s General Counsel to build a comprehensive set of evaluation criteria to collate all relevant information. This was further expanded to design a Data Protection Impact Assessment (DPIA) to evaluate the risk and obligations to the data subjects represented by the personal data being stored and processed.
A new GDPR module was designed to fully automate the GDPR processes, and to integrate with the Control structures defined and managed within the ISO 27001 and ISO 22301 Acuity IMS.
The GDPR PIA and DPIA methodologies have since been fully automated within the Acuity SaaS RegTech online system.
A global Law Firm, having successfully implemented ISO 27001, ISO 22301 and GDPR in its UK business operations, wished to extend the scope of the ISO 27001 and ISO 22301 certification to the Canadian operations.
The Canadian offices represented the largest Law Firm in Canada, spread across 7 locations with a mix of centralised, and devolved operational responsibilities.
The Executive Leadership Team, made up of the firm’s Senior Partners, determined that they required a new approach to Enterprise Risk Management (ERM). They requested a new ERM Reporting structure be defined and presented within 3 months.
ERM is a ‘forward looking’ risk management solution, unlike most risk practices based upon historic performance measuring and metrics for operational disciplines. Moreover, the reporting needed to be based around consistent ‘corporate’ Pillars of Risk for consistent across the Firm, whether a centralised management responsibility, or local.
Acuity designed a Risk Structure based around Risk Pillars, Threat Categories and Risk Criteria that could be measures consistently against Key Risk Indicators (KRI’s). These could be deployed by location, and by business function, and automatically aggregated for reporting to the Executive Leadership Team. The risk results could be viewed by Pillar, by Location, and/or by Business Function.
Furthermore, all the scoring mechanisms could be risk weighted at Pillar, Threat and Criteria levels, giving a fully customised risk model specific to the business, its priorities and risk appetite.
A full working system, including graphical output and reporting was delivered within 3 months as a first draft, and further customised based upon ELT feedback once they had fully understood the system capability.
Subsequently Acuity has invested in development of a fully automated ERM module within its SaaS application for fast deployment and ease of management.
A high technology engineering company, designing and racing Formula 1 cars
The parent company, with 60% ownership, mandated that the company should either adopt its global information security policies, or demonstrate compliance by achieving certification to the International Standard ISO 27001.
As a design and manufacturing company, driven by a race calendar and marketing pressure from sponsors, they have one ambition: to win races and the championship. Access to senior management was restricted and resources driven by weekly and monthly short-term priorities.
Acuity was able to implement a full Information Security Management System (ISMS) with total management commitment and support, but minimal disruption and in a very compressed timescale. Through the process it was identified that their Business Continuity Management did not meet the ISO 27001 requirements. As such, the project scope must be expanded to carry out a Business Impact Assessment (BIA) to validate critical processes, systems and resources.
Rather than do a minimal job, Acuity took the opportunity to merge the BIA risk profiles with the information security risks formulating into an Enterprise Risk Management (ERM) model for the Board to more easily digest and prioritise areas for further investment and risk reduction.
The entire project was completed using Acuity’s management system methodology with less than 2 man-months of effort, including successful achievement of external audit and Stage 1 Certification to ISO 27001.