www.cenbank.org Central Bank of Nigeria to deliver the highest standards of Information Security BSI Case Study Central Bank of Nigeria, Nigeria ISO/IEC 27001 Information Security Management ISO 22301 Business Continuity

Background The Central Bank of Nigeria occupies a central position in the economic and social development of Nigeria. The mandate of the Central Bank of Nigeria (CBN) is derived from the 1958 Act of Parliament, as amended in 1991, 1993,1997,1998,1999 and 2007. The CBN Act of 2007 of the Federal Republic of Nigeria charges the Bank with the overall control and administration of the monetary and financial sector policies of the Federal Government.

The objects of the CBN are as In addition to its core functions, Aims of the ISMS follows: CBN has over the years performed • Improved security, protecting • ensure monetary and price some major developmental clients’ assets, resources and stability; functions, focused on all the key people sectors of the Nigerian economy • issue legal tender currency in • An assurance framework aligned (financial, agricultural and industrial Nigeria; with global best practice sectors). Overall, these mandates • maintain external reserves to are carried out by the Bank through • Enforcing compliance with safeguard the international value its various departments. Information Security standards of the legal tender currency; and policies within the There are currently 2,379 organization • promote a sound financial system employees in the Head Office in Nigeria; and Building; however the Bank has a • Greater information security • act as Banker and provide total of 6,996 employees across 37 awareness economic and financial advice to branches nationwide. the Federal Government. Benefits of the ISMS Consequently, the Bank is Its services include issuing legal • Demonstrate leadership in charged with the responsibility of tender currency; maintaining compliance with information administering the Banks and Other external reserves; safeguarding security standards Financial Institutions (BOFI) Act the international value of the • Provide systematic safeguards for (1991) as amended, with the sole legal tender currency; promoting CBN’s information assets aim of ensuring high standards monetary stability and a sound • Improved security and a of banking practice and financial financial system in Nigeria; and stability through its surveillance reduction in risk through better acting as banker and financial understanding activities, as well as the promotion adviser to the federal government. • Enhanced CNB’s reputation not of an efficient payment system. CBN was founded in 1959 and is just at the national level but at headquartered in Abuja, Nigeria. the international level

Central Bank of Nigeria aims to:

• Become the model Central Bank • Deliver price stability conducive to economic growth By • Achieve safe, stable, and sound financial system • Deliver credible, reliable & efficient payment system 2015 BSI Case Study Central Bank of Nigeria, Nigeria ISO/IEC 27001 Information Security Management ISO 22301 Business Continuity

Why adopt ISO 27001? “We are indeed very proud to be ments etc. were formally engaged as part of the Central Bank of Nigeria’s stakeholders with their level of involve- The Central Bank of Nigeria (CBN) success story. This is an affirma- ment and responsibilities specified. is charged with the responsibility of tion that CBN has adopted and The scope and boundaries of the governing the Banks and Other Finan- complied with one of the most cial Institutions (BOFI) Act (1991) as project were clearly defined with all reputable international Informa- exclusions duly stated. Relevant ISMS amended, with the sole aim of ensuring tion Security Management System high standards of banking practice and staff were appropriately trained in standards in the world.” Afolabi Oke preparation for the implementation financial stability through its surveil- (Project Director, GIS) lance activities, as well as the promo- and certification process. tion of an efficient payment system. When the Bank decided to pursue the The Implementation project was As regulator of the Nigerian financial ISO 27001 certification, we further staged into six phases: Charter, Plan, industry and banker of the Federal Gov- engaged Global InfoSwift Limited (GIS) Do, Check, Act & Certify. The whole ernment, the Central Bank of Nigeria based on their pedigree and experi- implementation journey has been quite (CBN) is the custodian of information ence, having led First Bank of Nigeria challenging for the entire team. This of national and international relevance to achieving the certification. We also was overcome by few initiatives: alongside other critical information. held consultations with First Bank of Nigeria consequent to the success- • Continuous information security It is therefore necessary, in line with ful implementation of the ISO27001 awareness training international best practice, to have standard in its organisation. Their • Performing Risk assessments by an appropriate and systematic man- recommendations were duly con- identifying risks to information as- agement framework to adequately sidered alongside the results of gap sets per department and determining protect this information (information analysis that was performed. Subse- the appropriate risk treatment systems) to ensure continuous confi- quently, GIS assumed the responsibility dentiality, availability and integrity. It is of determining who they will partner • Establishing a Risk Assessment Re- equally imperative that CBN protect its with to carry out the project. Based on port for each of the 27 departments information systems from unauthor- their experience and success in other in the Bank ized access, use, disclosure, disrup- organisations, they recommended Brit- • Implementing the Abriska Risk tion, modification, perusal, inspection, ish Standards Institution (BSI) as the Management tool, which is tailored recording or destruction. appropriate solution provider. to satisfy compliance with the The motivation to implement the “It was definitely a challenging pro- ISO27001 standard ISO27001 Standard emerged from cess however, due to top manage- the need for CBN to take the lead in ment commitment and support, • Ensuring relevant staff were ap- compliance with information security staff cooperation and participation, propriately trained in the use and best practices in line with its status as and of course the unrelenting effort management of the Abriska tool the regulator of the Financial Services of the ISMS Secretariat, the Bank • Establishing ISO Change Champions Industry in Nigeria by complying with stood as one entity and overcame in all the departments to coordinate an appropriate and systematic man- this challenging task.” Taiwo Longe the activities of the project in their agement framework to adequately (Chief Information Security Officer, various departments protect the Bank’s information assets. CBN) Also, to leverage on the opportunity for • Conducting various Risk Assessment/ continuous operational excellence that Treatment workshops will yield positive result on investment. Getting started • Implementing all the necessary con- The CBN in conjunction with the Bank- Prior to commencing implementation trols identified as quick wins ers’ Committee is working on the Fi- of the ISO27001 ISMS within CBN, an • Addressing all the nonconformities nancial Services Industry Infrastructure information security gap analysis was as a result of the two audits carried Programme (IITP), in order to stimulate conducted by Global InfoSwift Ltd and out improvements in IT services, opera- the results used as a baseline for de- tions and management. The ISO27001 termining the ISMS project approach. • Establishing a Business Continuity Standard was identified as one of the IT Subsequently, top management com- Plan for the Bank standards within the Financial Ser- mitment was imperative from project • Adopting all the recommendations vices IITP. The process was initiated by inception which was evidenced by made during the audit exercises engaging a consultant, Global InfoSwift involvement of the Governors at the Limited (GIS), to carry out an Informa- ISMS Project kick-off meeting and tion Security Gap Analysis on the Bank’s constitution of various committees entire infrastructure and applications. at management level. Various depart- The outcome of the gap analysis gave ments such as Risk Management, a roadmap where the Bank needed to Security Services, Human Resources, move in terms of its Information Secu- Finance, and Legal Services Depart- rity Management System. BSI Case Study Central Bank of Nigeria, Nigeria ISO/IEC 27001 Information Security Management ISO 22301 Business Continuity

CBN has a total of twenty seven (27) BSI’s role The initial risk assessments that the departments; Groups called the Infor- CBN carried out as part of its imple- mation Security Forum (ISF) and ISO The Central Bank of Nigeria decided to mentation of the management system Champions were constituted, consist- work with BSI on the recommendation have ensured that risks to the organi- ing of at least three members from of GIS. As authors of the original stan- zation’s information are now under- each of the 27 departments. As each dard for information security (BS 7799) stood at a much more granular level department was duly represented, it was felt that BSI was best positioned and are being properly managed. the members of the ISF were tasked to provide certification. Folakemi Fatogbe, Director of Risk with ensuring that each member of The BSI helped provide a clear under- Management Department, CBN their respective departments was standing of what the Bank’s responsi- commented: “We took a pro-active adequately informed about the project. bilities were and how taking ownership approach to Risk Assessment and Furthermore, top-management (includ- of the process was to be approached. Management through the use of ing the Governors) was completely They equally offered guidance on Risk Management tools, leading to devoted to the success of the project; unclear areas and provided necessary a more structured Risk Treatment this was actively communicated to all information that duly equipped us for Plan.” members of staff. Consequently, the preparedness for the process. level of employee participation through The CBN’s implementation of ISO/IEC the awareness campaign and sessions BSI also provided capacity building for 27001 ensures that the strategic objec- conducted across the Bank amounted members of staff across the 27 depart- tive of the bank, i.e. to be the model to 100%. There were few internal ments by providing the Lead Auditor, Central Bank delivering Price and resources required to implement the Lead Implementer and Internal Auditor Financial System Stability and promot- system: trainings. ing sustainable economic development, • People becomes more easily achievable. It was necessary to ensure that the ISO27001 awareness campaign Conclusion reached every member of staff of the John Ayoh, Director Information Tech- Head Office, detailing what their roles nology Department, CBN explains: “For and responsibilities are. this phase of the Information Secu- rity Program, we will definitely say Awareness sessions were held for top that we have achieved our immedi- management and Directors of the 27 ate objective of establishing the departments. Information Security Management • Processes System. However, we do recognise It was crucial to guarantee that all that the onus is on us to ensure a documents within the Bank were duly continuous improvement process; controlled, including inserting the the effort is still on-going to guar- metadata page antee that the ISMS is adequately • Technology maintained and sustained.” During the process, CBN utilized technology by driving awareness cam- Implementing ISO 27001 helped CBN paigns through the use of: establish a leadership position as finan- The Bank’s Intranet – Banknet cial regulators not just at the national The ISMS portal level but at the international level. It Deployment of a series of also gives CBN’s stakeholders a level Information Security screen savers of assurance in knowing that controls Announcements via the Public have been implemented in ensuring Address System by Corporate the safety and security of their infor- Communications Department mation assets.

Your business could benefit from ISO/IEC 27001 just like ISO/IEC 27001 Central Bank of Nigeria. Information Security To find out more, visit www.bsigroup.ae/ISO27001 Management

+971 4 3364917 The BSI Assurance Mark can be used on your bsigroup.ae stationery, literature and vehicles when you have successfully achieved certification