Select regional store:

London Pensions Fund Authority

London Pensions Fund Authority (LPFA) achieves ISO27001 and ISO14001 certifications 6 months ahead of deadline

This case study shows how IT Governance helped LPFA achieve ISO27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on +44 (0) 845 070 1750 to discuss your own ISO27001 consultancy requirements.

LPFA Case Study

In the highly-competitive market for pension fund administration, cost-effectiveness and efficiency are the vital components for success. LPFA is, therefore, a cost-conscious and well-run organisation, but also one that is aware of its responsibilities when it comes to protecting the security of data and taking a leadership position in improving its environmental impact. Serving some of the most prestigious pension clients in the UK public sector, and expanding its business through winning commercial tenders, LPFA is committed to demonstrating its good practice through compliance and accredited certification to appropriate standards.

The Board decided in 2010 that the organisation should seek certification to ISO27001, the Information Security Management System (ISMS) Standard, and ISO14001, which addresses the management of an organisation's environmental impact in a comprehensive, systematic, planned and documented manner. IT Governance was chosen to provide a comprehensive mix of consultancy support, training and facilitation for the projects.


LPFA administers its own fund and provides a wide range of services centred on the Local Government Pension Scheme (LGPS) ranging from full pension administration, partnerships with councils, providing scheme communications, hosting of pension websites and the training of administration staff. As part of the continuing process improvement and commercial expansion programme through tender business with local authorities, LPFA’s Board tasked Les Higgs, Business Improvement and Programme Manager, and Data Quality Analyst, Lauren McHugh, with planning and implementing a programme of standards – compliance projects, beginning with the ISO27001 Information Security Standard and the ISO14001 Environmental Management System Standard.

“We were approached at the Infosec Europe 2010 exhibition by Les with regard to security penetration testing services. We offered our ‘pentest’ – a technical method of evaluating the security of a computer system, or network by simulating an attack from malicious outsiders,” says Steve Watkins, Director, Training & Consultancy, at IT Governance. “We carried out the penetration test in 2010 and, when we presented the results, had the opportunity to talk to Les and his colleagues about LPFA’s emerging plans for information management system security and environmental compliance projects. The following year, Les called us, saying that LPFA needed to achieve certification in both ISO27001 and ISO14001 Standards by Q1 of 2012. We were invited back to scope both projects and estimate the costs, before submitting a proposal for the mentoring and in-house training work that would be required.”


To address the requirements of commercial tenders in the public sector and to achieve quality and performance improvements across the enterprise, the LPFA Board determined that a compliance programme should be undertaken.

They chose ISO international standards that are popular, due to being generic (i.e. process-based), meaning that they can be applied to any organisation, across any sector, large or small, and irrespective of whether it produces products or is service related, including charities and the voluntary sector.

Click here to read more »


Les Higgs was impressed with the detail and appropriate handling of the issues in the IT Governance project proposal. He was also persuaded that Steve and his colleagues had the relevant knowledge: “We felt that IT Governance were ‘close to our roots’ in terms of understanding the needs of LPFA and the public sector. They won our account on a purely competitive tender basis against bids from leading professional services companies in the field – and it’s a decision we have never regretted.”

Following an initial project review, IT Governance assigned a consultant with a strong track record in both ISO27001 and ISO14001 compliance projects. Nick Orchiston, a management systems consultant with more than 17 years’ experience, was chosen for his suitability to lead the engagement and introduced to Les and Lauren, who were immediately impressed by his knowledge. Nick has successfully taken organisations similar in profile to LPFA through quality (ISO9001), health & safety (OHSAS18001), environmental (ISO14001) and information security (ISO27001) management systems compliance. He has also supported a wide variety of organisations, from SMEs to global corporations, through to accredited certification to all of these standards.

Click here to read more »


Les is quick to highlight the main benefit of engaging IT Governance. “With ISO27001, we had a contractual deadline of April 2012 to meet in order to secure a major new client contract. Nick brought us to compliance by October 2011. Following the audit conducted by BSI, we had only three minor non-conformities, but a clean bill of health. The sense of a job well done ran all over the organisation. Once again, some of the changes seem fairly small: staff mobiles are now BlackBerrys (more secure), all laptops are encrypted, data is much more organised – hence it does not get lost and/or removed easily, and our clear desk policy means that confidential client information is not left sitting around waiting to be read by any unauthorised parties. Likewise, when we transfer documents, a series of confidentiality checks are applied. We have a quarterly management review to see if the measures are working and what we can do to improve security. ISO27001 has brought significant and beneficial cultural change – an issue which our customers are taking very seriously, as reputational damage can have a huge impact. We are winning new business because we are being responsible – and can demonstrate it!”

Click here to read more »

Next Steps

LPFA is now planning to extend its compliance programme to include several other standards, including BS25999 Business Continuity Management.

The last word should go to Les: “IT Governance has been an invaluable partner to LPFA. We want them to work with us in the future”.

“IT Governance has been an invaluable partner to LPFA. We want them to work with us in the future.”

Download this case study now

To get a PDF version of this case study enter your email address below and we will send you a copy straight away.

Just as we have helped LFPA achieve ISO27001 and ISO14001 compliance on time and within budget so we can help you. Call us now on 00 800 48 484 484.

This website uses cookies. View our cookie policy