Board Briefing: Cyber Governance Insights →

INCIDENT RESPONSE
CONTACT US
INCIDENT RESPONSE CONTACT US

Case Study ISO 27001 Certification

ISO 27001 Expansion and Certification

Customer: Endeavour Energy
Industry: Energy
Services: ISO 27001 expansion 

 

Download success story

ISO 27001 Expansion and Certification – Endeavour Energy

Challenges

The need for Endeavour Energy to:

  • Protect electricity distribution assets from disruptions and attacks
  • Build customer trust and confidence by improving its cyber security posture across both Information Technology (IT) and Operational Technology (OT) domains
  • Facilitate the adoption of grid management equipment that enables safe and secure twoway energy flows
  • Comply with the Security of Critical Infrastructure Act 2018 (SOCI Act).

Outcome

  • Compliance with the SOCI Act by expanding the scope of its information Security Management System (ISMS) across both IT and OT – an Australian first.
  • Achieved ISMS certification to the latest ISO 27001:2022 standard.
  • Improved protection of critical assets such as advanced distribution management systems and secondary systems across 21 physical locations.
decor

Endeavour Energy

Endeavour Energy is responsible for building, maintaining and operating an electricity network that connects 2.7 million people to traditional and renewable energy sources in homes and businesses across Sydney’s greater west, the Blue Mountains, Southern Highlands, the Illawarra and the South Coast of New South Wales. Endeavour Energy is at the forefront of the industry in integrating traditional and renewable energy sources.

The challenge

Endeavour Energy is transitioning from a traditional ‘poles and wires’ business to a distributed system operator as customers connect their own energy resources – such as batteries, inverters and smart hot water systems – in ever increasing numbers to Endeavour Energy’s next-generation grid management equipment. As Australia moves towards a smart grid to facilitate the energy transition, Endeavour Energy is committed to ensuring customers feel confident and cyber-secure when connecting their energy resources to its network.

The energy transition necessitates a seamless integration of Operational and Information Technology (OT and IT). With this integration comes an increased demand for standardised cybersecurity controls across both domains as the previous fragmented controls and standards hindered an enhanced cybersecurity posture and continuous improvement.

The solution

CyberCX supported Endeavour Energy to meet its requirements under the SOCI Act, by implementing an ISMS that covered both IT and OT and was certified to ISO 27001:2022. Pivotal to the project’s success was buy-in from OT and transmission system, asset and physical security management stakeholders, and other key control owners.

CyberCX worked in close collaboration with Endeavour Energy’s Cyber Security team, engaging over 78 key stakeholders across 38 capabilities in the business to ensure a successful and holistic implementation of the ISMS. The initial ISMS implementation journey took 18 months to complete and included:

cyber security

Physical site visits

cyber security

Education and training

cyber security

Identification of critical systems and controls

cyber security

Planning of risk mitigation steps across critical systems, workers and sites.

The outcome

By partnering with CyberCX, Endeavour Energy was able to meet its requirements under the SOCI Act and achieve an Australian-first certification for its ISMS covering both IT and OT. This certification is aligned to the latest version of ISO 27001 (ISO 27001:2022).

decor
business

Gaining this certification has allowed Endeavour Energy

to integrate its cyber security practices across OT and IT networks, enhancing its overall cyber security posture.

business

Key critical assets are

protected including substations, secondary systems, and advanced distribution management systems, as well as critical functions, including control room operations, physical security, and technology operations.

research paper icon

The project achieved

certification for 21 physical locations that hosted Control Rooms, Data Centres, and Training Rooms, including 16 critical substations, ahead of an ambitious target.

business

Against the backdrop of regulatory changes

and a greater public awareness of cyber security and threats to critical infrastructure, the team was able to drive cultural change towards a more open and collaborative engagement across the entire organisation.

business

The certification allows Endeavour Energy

to demonstrate to key stakeholders its commitment to continually improving its cyber security posture, enabling it to be at the forefront of energy transition.

research paper icon

Overall, Endeavour Energy’s uplift

in cyber security helps uphold Australia’s national security, as well as economic and social stability.

“CyberCX was instrumental in expanding and uplifting our ISMS – a key building block in our customers’ clean energy transition journey.”

Gijo Varghese
CISO, Endeavour Energy

Ready to get started?

Find out how CyberCX can help your organisation manage risk, respond to incidents and build cyber resilience.

Talk to an expert