Safe, secure and certified

While most companies in the region are still getting to grips with security basics, the UAE's Al Batha Group has just completed certifying its operations under the ISO 27001:2005 standard.

  • E-Mail
By  Imthishan Giado Published  May 9, 2009

While most companies in the region are still getting to grips with security basics, the UAE's Al Batha Group has just completed certifying its operations under the ISO 27001:2005 standard.

As the curtain falls on the free-spending days of IT departments, enterprises are increasingly choosing to re-examine their priorities and make adjustments to their infrastructure through strategy as opposed to acquisition.

One aspect that is often neglected is that of security, with many firms focusing on beefing up their systems only after an incident has taken place. That's an accusation which cannot be levelled at the UAE's Al Batha Group, which has just completed the installation of an information security management system based on the comprehensive ISO 27001:2005 standard.

One of the largest private business groups in the UAE with more than 28 individual companies, Al Batha Group counts many well-known multi-nationals among its ranks in a variety of verticals, including the automotive and educational sectors. The firm is well known for being one of the more prominent SAP users in the region, with a relationship that stretches back more than 12 years.

Al Batha's general manager for group information technology, Saji Oommen, details the firm's extensive infrastructure: "Here in the central system, we have around 12-16 servers for the SAP main application, plus a number of servers for the many other supporting applications - communication servers, middleware and so on. We also have our disaster recovery site in Dubai. We have duplicated most of the applications and databases we have here," he explains.

The firm's main office is in Sharjah and is the currently the only site covered by the new 27001 certification, although the firm has about 55 locations in total. The core IT team consists of 15 professionals administering close to 800 users, in addition to separate IT teams in individual companies.

Al Batha first began the search for an information security framework three years ago, partly out of a need to build a system that could support the wide array of systems, applications and infrastructure present in the group's companies.

Although Oommen claims that there have been no major incidents, he believes it's not a good enough reason to neglect security.

"That doesn't mean anything. Minor incidents definitely keep happening - could be a virus, could be different things. Now we have a lot of clarity on that thanks to ISO 27001, because we have to classify our risks and also the assets which we have. Anything that stops the operations is a severe risk - that's a major incident for us," he says.

"At the end of the day, Jilesh Jose being the security administrator, he wants to have a good sleep in the night. What normally keeps the people awake is some sort of fear of the unknown. Maybe it's all secure but we don't really know if it is secure or not. So we need to have a very structured, formal, standardised approach where we can look into all the risks involved, assess them, and put some controls in place in a very systematic manner so that we can be rest assured that we have security in place," he continues.

Planning for the system started in 2006 and the certification was received in 2008. Unlike many organisations looking for similar certifications, Oommen clarifies that there was no commercial motive behind the firm's need for ISO 27001.

"When you talk about a bank going for 27001 certification, they've got certain advantages in terms of the customer confidence - the customer feels more confident dealing with that bank if he feels that it's quite secure. We didn't have that need, we wanted to make our systems quite secure," he explains.

"We thought that we should fix all the gaps, rather than identifying the gap and saying that we are working on that. That's the most time-consuming task, when we completely revamped our security infrastructure. We brought in a lot of hardware and software solutions in place and initiated a lot of new processes," continues Oommen.

After the identified holes in the security were closed, Oommen and his team completed a detailed risk assessment for the company, then mapped the ISO 27001 controls into the various areas. Finally, the firm devised a risk mitigation plan which details what the remaining risks might be and how to manage them, along with the accompanying set of documentation.

Although he is not able to disclose the cost of the project, he does reveal that it largely depends on the number of controls implemented: "What sort of compliance do you require? ISO talks about 133 controls - You can say that maybe only 50 are applicable to me, or 132 are applicable. For example, if you have a significant stake in a B2B business, then the B2B controls have to be in place. It depends on what the business demands."

Al Batha Group engaged Paramount Computer Systems as the consultants on the project. They conducted the initial penetration test and profitability analysis and then moved onto overseeing the entire certification project. Although other consultants were considered, Oommen says their relationship with Paramount was the primary driver for their selection.

"We have been working with Paramount from at least 2004 and have seen that they have done this type of work before, have the experience and showed the confidence that they can do it again. The other two [consultants] also had some competencies definitely in this area. But we also need to have some sort of relationship with the consultants that we are going to work with," he notes.

Jilesh Jose, information security administrator was entrusted with the task of overseeing the project and says that there were no major challenges during implementation, in part due to the comprehensive training he mandated for the users.

"The group company heads were given training on information security. Team leaders were told how to improve their daily operations, while in-house training was done by us as part of the IT scope. It was quite a lot of effort," he relates.

Now that the project is complete, Oommen is considering the next target for the certification process.

"The scope of the certification has not been extended to all locations. We possibly will roll out to different locations. Primarily, it applies to the head office in Sharjah. We have to roll it out in a selective manner and look at the priorities which the different companies require," he says.

"It increased security awareness among the users and helped them understand the importance of security. In terms of our image with our principals, that also has definitely improved. It's a very prestigious certification. It also afforded us an opportunity to benchmark ourselves with the competition, with other mature players in the market. Previously, we asked ourselves: Are we secure? We could say yes or no, but there is no measure. Here we can talk about the standard to which we have just complied and say where we stand with reference to that," he adds.

"It's been a very interesting experience for us - an eye-opener sometimes, the chance to look at things in a different way. It has paved a very strong foundation for our future activities because the requirements in the company are growing so fast. Security becomes an afterthought and difficult to manage. Now whenever we do any new contracts or projects, a security dimension comes in as part of the project, not after the fact," concludes Oommen.

3013 days ago
anish salam

my hearty congratulation for this achievment , i think your company is one of the first local companies other than banks & govt getting this worlds highest level certification in information security. But need less to say two years for this project for an organization like yours was too long. agian congrats for achieving this certification.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code