A Local Government had an Audit Report that raised a number of security compliance issues. They needed an assessment of the business risk they may be facing and a prioritised implementation roadmap to support their digitisation objectives.
The client had received an auditor report on their ISO27001 compliance. The report took a very compliance-based view and did not consider the business, commercial and reputational risks nor the future state that Council was moving to. As a result, they required a business risk assessment that considered these elements and provided a prioritised implementation roadmap of improvements.
The client’s Information Services Branch is embarking on a Futures Architecture Project to support digital services to be provided to the community and external partners. The initial cyber security impact report was completed, but it did not fully explore the business impacts nor the considerations of such a digital futures security architecture. Council’s Futures Architecture had to comply with industry methods and standards, while maintaining agility and efficiency within Council so Council could continue to provide efficient services to its customers, community and staff.
Information professionals embarked on a business risk assessment, utilising ISO27001 and PCI standards. The ISO31000 risk management standard was adopted, and risk matrix developed specific for the project. This risk matrix was then integrated into the corporate risk register. Both internal and external stakeholders had to be consulted such that the development and implementation of the architecture reflected current state risk, future state plans, and be adaptable moving forward. An implementation roadmap was required to allow progressive investment into the work, to immediately address those areas most urgent, and stage ongoing improvements in accordance with Council capacity and the Futures Architecture Project.
The outcome of this engagement enabled Council to manage the impacts on its business while enabling it to move forward with its critical digital initiatives efficiently and share information across Council ensuring business process continuity. It also prevented attention and resources being spent in areas that may not be fully compliant but would ultimately make no difference to Council’s current or future risk profile.
The report was circulated, reviewed, and approved by staff and management and Council’s audit committee. It provided CIO and Team, Councillors, and the Audit Committee with the balance of compliance considerations, risks and strategic objectives to provide the agility necessary to move forward.