Secure critical ISO standard compliance certifications for a highly complex data centre with multiple third party interactions and a global reach.
Pure Data Centres Group Ltd (PDCG) have established a Tier 4 data centre that is designed to host mission critical servers and computer systems, with fully redundant subsystems (cooling, power, network links, storage etc.) and compartmentalized security zones controlled by biometric access controls. PDCG has leased a major proportion of the data hall to a third party that provides integrated managed data services linking people, places and clouds through delivering a fully integrated range of cloud, datacentre, connectivity and voice services.
As part of their agreement, PDCG not only provides the physical building infrastructure, but also the physical and soft security for the facility along with the operational management of the site. As a Tier 4 data centre, they guarantee a 99.995 percent availability with just 26.3 minutes of downtime per year.
PDCG's clients require them to be certified to ISO 9001:2015 and ISO 27001:2013 but the organisation also recognise the value of increasing the coverage of the standard across its global operation.
- Analyse and review the current client business procedures in order to support the technical authoring of the ISO 9001:2015 Quality Management Manual (QMM) and the ISO 27001 Information Security Management System (ISMS)
- Implement a Quality Management System (QMS) in accordance with ISO 9001:2015
- Implement an Information Security Management System in accordance with ISO 2700:2013
- Support the implementation of the management systems by:
- Conducting appropriate Internal Audits
- Supporting the internal Management Review
- Supporting the external Stage 1 and Stage 2
- Assessments conducted by an external certification body
- Activities Implementation of ISO 9001:15 and 27001:13
SA Group consultants worked closely with ISO leads at Pure Data Centre to implement the required ISO standards, during which we:
- Engaged at management level to ensure the appropriate resource was supplied and that implementation of the standards across PDCG Birmingham was seen to be supported.
- Defined the scope, objectives and effectiveness metrics in conjunction with the PDCG ISO team.
- Conducted gap-analysis and gained an understanding of the existing documented policies, processes and procedures.
- Developed quality and security policies & processes that enabled the management systems to be implemented successfully and ensured that they remained appropriate to the business needs and requirements.
- Risk Assessment:
- Defined and implemented the risk assessment methodology for ISMS and commenced implementing QMS policy that had been endorsed.
- For ISO 27001:13 a Statement of Applicability was developed, verifying the maturity of existing controls and implementing new controls where applicable, appropriate to the risk identified with a relative Risk Treatment Plan (RTP).
- We then revisited the previously conducted risk assessment and calculating the residual score as a result of mitigation (controls) deployed. Any risks that remained above the accepted risk thresholds were highlighted to the appropriate management level.
- Training, awareness and competency programmes were developed in consultation with Pure Data Centre's people to ensure continued improvement and compliance with the standards.
- A series of internal audits was conducted to monitor effectiveness, identify improvements and verify internal compliance to the client's own policy and procedures.
- Management reviews were implemented for both standards to check effectiveness prior to the certification body's inspection – this ensured compliance was implemented within the timeframe needed by the client.
Both the Quality and Information Management Systems were implemented, established and received certification within 10 months of commencing the task.
Key to the team's success was an insistence that the standards we put in place should meet not only the ISO standard but also the needs of the business, and that any conflict that arose between these needs should be clearly managed, documented and resolved.