The Challenge
NRS Healthcare is the UK’s leading provider of disability aids and mobility equipment. Its 800 employees work across over 50 local authority contracts and deliver over 1.4 million products into people’s homes each year.
As it holds some personal data about users of products, the company already had information policies and procedures in place but wanted to ensure its approach to risk reduction was robust through ISO 27001.
NRS embarked on the ISO 27001 process in 2012 and engaged with us early on to look at the company’s existing Information Security Management System. On top of this as they provide services to the NHS they have a requirement to complete the NHS IG Toolkit.
Our Approach
Given the nature of their business, the long term relationships NRS build with client’s means their reputation is crucial and any security breach could be potentially damaging.
Upon assessing the scope of the project it was clear that NRS had the vast majority of the technical controls in place and it made financial sense for the client to improve upon these rather than building a new system. The main objectives for us were around the tightening up of some processes and minor upgrades to physical security at some of their sites away from head office.
The Outcome
NRS currently has certification covering eleven sites and will be adding a further three sites early next year. Their certified ISMS goes substantially beyond just the IT systems and covers the entire estate, a key differentiator in a competitive market demonstrating their commitment to information security.
The work that we conducted with them in building a “common-sense” and “business as usual” ISO 27001 management system, meant that they were able to quickly complete the NHS IG Toolkit, using many of the controls and processes established for ISO 27001. NRS completed the toolkit with a score of 100%.
Gemserv also worked with NRS on PCI DSS compliance. It is not something which they are yet being asked to have in place but wanted to get ahead of the game and be ready if and when they do.
Taking a proactive approach to PCI DSS is enabling NRS to plan the implementation controls in line with business requirements.
NRS Healthcare RepresentativeThe process of achieving ISO 27001 has made the business much more aware of information security and gives our existing and prospective customers assurance of NRS’ commitment to information security. A number of companies we talked to about ISO 27001 offered to develop a new Information Security Management System for us but Gemserv focused on improving our existing one, ensuring we were able to manage it ourselves in the future. The company’s expertise is second to none and we really liked their flexible approach.
