ig toolkit and iso27001 for research - homepage | jisc ... and...ig toolkit and iso27001 for...
TRANSCRIPT
IG Toolkit and ISO27001 for research
Trevor Peacock, UCL School of Life & Medical Sciences
30th September 2015
UCL environment
• UCL School of Life & Medical Sciences (SLMS) – Large organisation, SLMS is biggest school in UCL 5,000-6,000 staff, ~3,000
honoraries – Highly devolved
• Centralised information governance structure – Senior Information Risk Owner (SIRO) appointed – IG Steering group and IG Lead (me) to manage the framework – Studies adopt the IG framework with IG responsibility delegated to PI (IAO)
• Data Safe Haven project began in 2012; went ‘live’ Sept 2013 • Support services
– Dedicated Data Safe Haven IT infrastructure – Training and awareness – rolling programme of IG training events – Advisory Service – supports researchers in adopting the IG Framework and in
undertaking IG Toolkit submissions 2
The HSCIC IG Toolkit
• Standard tool for IG compliance across the NHS • Required from 2013 for researchers requesting data from the HSCIC • Very prescriptive • Includes sets of requirements for different types of participating
organization • 14 requirements in three categories:
– IG Management – Confidentiality and Data Protection Assurance – Information Security Assurance
• Need to score 2 or above against each requirement 0 = no evidence 1 = evidence of controls 2 = evidence of controls in place and in operation 3 = evidence of controls in place, in operation and improving over time
3
ISO27001:2013 - why we did it
• Already have a working IG framework in place that works for the IG Toolkit
• Broader acceptance than IG Toolkit eg. DfE NPD • Scope accurately reflects requirements and can adapt as they
change • Can integrate requirements of IG Toolkit or other legal / regulatory • Externally audited and certified to a standard • Competitive advantage for UCL
4
ISO27001:2013 - overview
• 2013 version released late 2013, 2005 version ends 1st Oct 2015 • Framework for managing information security requirements • Not a set of technical requirements! • Implementation depends on objectives and scope • The standard
– 22 pages – Two main parts:
1) Requirements of the standard - 7 sections, items 4 to 10 (9 pages) 2) Annex A - 114 controls (13 pages)
– Requirements are mandatory – Controls from Annex A must be considered in the context of a Risk Treatment
Plan – Risk Treatment Plan is one of the requirements of the standard
5
ISO27001:2013 – some terminology
• Conformance / non-conformance – Evidence that a requirement of the standard or required control is / is not
implemented
• Information Security Management System (ISMS) – Term for the collection of policies, procedures, responsibilities and resources
that implement the requirements of the standard
• Organisation – Clearly defined in relation to the ISMS – Includes ‘Top Management’
• Statement of Applicability (SOA) – Justification for inclusion or exclusion of Annex A controls
• Scope – Certification, Organisation, ISMS
6
ISO27001:2013 – confusion
• ISO27001 compliant – we’ve had a go, but not gone for certification (meaningless)
• ISO27001 certified – we’ve been successfully externally audited and are recognised as conforming
to the standard
• ISO27001 accredited – this applies to certification bodies, such as BSI, LRQA etc who certify others
• ISO27002 – Implementation guidance for controls
7
ISO27001:2013 – certification process
• Develop your ISMS • Internal audit – one or more iterations • External Stage 1 audit
– focus on documented information and compliance with the standard – major non-conformities will require re-audit – minor non-conformities and observations must be addressed before Stage 2
• External Stage 2 audit – focus on implementation and operation of controls – major non-conformities will result in failure to achieve certification (this time) – minor non-conformities and observations must be addressed in a Corrective
Action Plan
• Certification – valid for 3 years – Annual surveillance audit
• Took 5 months to Stage 1, then another month to Stage 2
8
ISO27001:2013 – how we did it
• Define the scope of the ISMS – 3 levels of scope – Interested parties – Internal and external
9
ISO27001:2013 – how we did it
• Iterative process • Build a ‘conformance matrix’ – yet another spreadsheet
– link each requirement in the standard to an owner – Record all documents that relate to that requirement – Gap analysis and record of actions
• SOA – first draft, based on existing controls – Assigned owners to each control, which they reviewed
• Identify key areas of risk through workshops – Arrived at a list of 11 key risks eg. user deliberately or accidentally leaks
information; premises break-in; power failure – Used UCL’s existing corporate risk model
• Determine objectives for the ISMS – Includes actions held in IG Toolkit improvement plan – Identify metrics for measuring and reporting performance against objectives
eg. number of teams using Data Safe Haven 10
ISO27001:2013 – how we did it
• Add appropriate terms to existing policies etc – Reference to performance metrics in IG Policy and IG Steering Group ToR – Addition of ‘root cause’ to action log
• Internal audit – Focus on key items, eg. Risk Treatment Plan – ‘Big picture’ – is everything the standard requires in place?
• Review of SOA based on outcome of audit – Check implementation of applicable controls is adequate
• Second internal audit • Iterate
11
ISO27001:2013 – what we learnt
• Engage with certification body early on – Early in the v2013 version lifecycle, so few qualified auditors – Can be long-winded
• Get expert help – Someone who has ‘been there and done it’ – Project Manager to orchestrate the process – Support in producing the required documentation
• Don’t underestimate the time required and don’t rush the process – Expertise is tied to busy people – Time to gain familiarity with new terminology and change of approach
• Be very clear about scopes: Organisation, Certification & ISMS – Lack of clarity can lead to confusion later on – Needs to support objectives
12
ISO27001:2013 – what we learnt
• Start small and engage top management early in the process – They need to approve changes – Stage 2 audit includes an interview with top management
• Don’t feel you have to use templates for your documents – Feedback from audit noted that our documents were based on actual
requirements – Everything you need is in the standard
• Expect anything in the external audit – Ensure everyone involved understands their role and is consistent – Auditor met with end-users of the system
• Don’t assume non-applicable controls aren’t implemented – Sometimes, they’re non-applicable because the control is already in place
13
ISO27001:2013 – next steps
• Let it bed in – Internal audit will drive refinement
• Map ISO27001:2013 controls to IG Toolkit evidence – Align processes – Simplify
• Take advantage of the ISO ‘Common Text’ – Same text and document structure and for all standards – Once on is done, straightforward to manage others, eg. Business Continuity
• Maintain our certification!
14
Where to find out more
IG Toolkit NHS-HE Forum Information Governance Working Group: https://community.jisc.ac.uk/groups/nhs-he-forum-connectivity-project/article/nhs-he-information-governance-working-group ISO27001:2013 Lots of websites… The standard: your university may have it in their electronic library collection Plenty of ISO27001 courses out there: BSI, IT Governance, LRQA
16