Image Promo description

Register to use our site and access free newsletters, book events and lots more.

You don't have to be a member to use our site. Already registered? Login here

Become a member today

The Chartered Institute of Housing is the independent voice for housing and the home of professional standards

Top tips to develop an information security programme


Great news! Your organisation’s leadership has agreed to an information security programme. But where should you begin? And when, they ask, will it end?

KeyboardYour employees spend their days using a mobile or desktop device. They access information using your applications and transfer data across your network. Given that most of the security solutions in the market are focused on device, application and network/infrastructure security, isn’t that a good place to start?

Well, certainly technology has a part to play. But at Catalyst our approach is to initially focus on the information that matters most to us and the people that use it. That’s because we know that users cause 70% of the breaches, and because it’s the information that’s of value to our organisation that any adversaries will be after.

We’ve organised our programme into three distinct work areas:

  • Security foundations
  • Business process
  • Tools and technology

At the moment, as we’re still at the beginning of our journey, much of our work is focusing on security foundations. For us that means governance, policies, awareness/cultural change, data protection and information protection (classification and handling).


Our programme is governed by an information security board, comprised of our leadership team. Below it, we have an information security working group (ISWG) comprised of senior colleagues from across the business. Our ISWG provides feedback, supports decision making and, crucially, provides insight on the activities and needs of the business.


We’re working to get key policies in place that will underpin the work to come. At Catalyst, some policies need to be created from scratch while others need substantial revision and updating.

Awareness and cultural change

To provide us with additional resources to support our in-house communications team, we’ve teamed up with an external communications agency. With their help, we’ve created a clear identity for the programme and are currently delivering a new information security topic each quarter, supported by leaflets, pull-up banners and a presentation for cascade within our teams.

Data protection

This is another area where we’ve needed external support, this time with a firm of solicitors with extensive experience in data protection. They have helped us review our privacy and data protection policies, and are delivering a programme of training – initially for our frontline workers – that our colleagues are finding not only extremely useful but also great fun.

Information protection

Information protection is about the way we classify and subsequently handle our information. With the help of our information security working group we’ve agreed a simple classification scheme with just three levels (confidential, restricted and unrestricted). We’re also trialling a classification tool that will enable our employees to immediately classify emails and documents as they create them. Our classification and information handling policies are still a work in progress.

So back to that burning question. When will it end? With our business constantly changing, and threats to information security constantly evolving, our programme can never truly end – though of course many of our security measures will pass into ‘business as usual’. Rather than actually seeking ISO 27001 accreditation, our approach is to align ourselves to the good practice set out by the framework. We expect that the initial journey to take around three years for our programme as a whole.

Adrian Leung
Head of information security, Catalyst Housing

Please log in to comment

Your comments

No comments made yet

Join today

We’re here to help you make a difference. Join CIH today and discover your potential


Fire safety

All the latest info and fire safety resources for housing professionals


The new housing apprenticeships

With a century of experience equipping housing professionals with the skills they need to do the brilliant work they do, we can help you make the most of the new housing apprenticeships – whatever stage of the journey you are at.