Case Study ISO 27001 Certification
ISO 27001 Implementation
Customer: Laing O’Rourke
Industry: Engineering and Construction
Services: ISO 27001 Implementation
Challenges
- Demonstrate robust information security practices aligned to an international industry standard to potential customers.
- Unify complex and unique security practices across the organisation’s global operations.
Outcome
- Laing O’Rourke unified three global regions under a single Information Security Management System (ISMS) that is certified to ISO 27001:2022.
- It now has a globally certified ISMS that will allow them to bid for more opportunities and win work in any of their operating regions.
Laing O’Rourke
Laing O’Rourke is an international engineering and construction company delivering state-of-the-art infrastructure and building projects across the United Kingdom (UK), United Arab Emirates (UAE) and Australia.
Laing O’Rourke aims to be a force of positive change in the industry and to push the boundaries of what’s possible, in service of humanity.
The challenge
Laing O’Rourke was facing increasing demand from potential clients to demonstrate it had robust information security management practices in place. Defence industries were particularly interested in seeing Laing O’Rourke demonstrate their information security posture.
Due to its size and operations in the UK, UAE and Australia, Laing O’Rourke had differing approaches and maturities towards its information security practices. It sought to unify these approaches into a single global system.
The solution
CyberCX supported Laing O’Rourke to unify its approach to information security – which spanned across three global regions – with a single ISMS certified to ISO 27001:2022. The solution took nearly 14 months to implement and involved a multi-layered approach, including:
Assisting Laing O'Rourke with
developing robust governance to manage its information security program, including starting an Information Security Working Group and an Information Security Steering Committee.
Assessing over 90 varying policies,
procedures, registers and other documentation across the three regions to determine internal variances and identify key gaps in security practices. From this, CyberCX consolidated down to approximately 20 policies and procedures in the resulting ISMS that are applicable worldwide.
Inspecting Laing O'Rourke's physical sites
in person across Australia, the UK and the UAE for alignment to the relevant physical controls from ISO 27001, and determining remediation activities that were required on a site-by-site basis.
Undertaking a comprehensive
internal audit of the ISMS prior to certification to independently validate it was operational and would pass certification.
Ensuring the ISMS
was not only compliant with ISO 27001, but also assisting Laing O’Rourke in operationalising it and embedding it into BAU operations. The ISMS structure also allows for continuous improvement, so Laing O’Rourke’s information security posture may strengthen as the cyber landscape evolves
The outcome
By partnering with CyberCX, Laing O’Rourke was able to consolidate and unify three global regions under a single ISMS that is aligned to the latest version of ISO 27001 (ISO 27001:2022).
ISO 27001 is the leading global standard
for information security management systems. By gaining this certification Laing O’Rourke has strengthened its security posture in all regions it operates in.
The certification has allowed
Laing O’Rourke to demonstrate with confidence to its clients, and potential clients, that it takes information security seriously.
This commitment to security management
gives Laing O’Rourke a competitive advantage, positioning it better to win bids for opportunities in any of its regions and priority sectors, including the defence space where this is of critical importance.
“CyberCX was instrumental in getting Laing O’Rourke ISO 27001 certified. The team demonstrated an exemplary level of professionalism, expertise and dedication to the project’s success.”
James Fields
Deputy CISO
