IG Toolkit and ISO27001 for research

Trevor Peacock, UCL School of Life & Medical Sciences

30th September 2015

UCL environment

•  UCL School of Life & Medical Sciences (SLMS) –  Large organisation, SLMS is biggest school in UCL 5,000-6,000 staff, ~3,000

honoraries –  Highly devolved

•  Centralised information governance structure –  Senior Information Risk Owner (SIRO) appointed –  IG Steering group and IG Lead (me) to manage the framework –  Studies adopt the IG framework with IG responsibility delegated to PI (IAO)

•  Data Safe Haven project began in 2012; went ‘live’ Sept 2013 •  Support services

–  Dedicated Data Safe Haven IT infrastructure –  Training and awareness – rolling programme of IG training events –  Advisory Service – supports researchers in adopting the IG Framework and in

undertaking IG Toolkit submissions 2

The HSCIC IG Toolkit

•  Standard tool for IG compliance across the NHS •  Required from 2013 for researchers requesting data from the HSCIC •  Very prescriptive •  Includes sets of requirements for different types of participating

organization •  14 requirements in three categories:

–  IG Management –  Confidentiality and Data Protection Assurance –  Information Security Assurance

•  Need to score 2 or above against each requirement 0 = no evidence 1 = evidence of controls 2 = evidence of controls in place and in operation 3 = evidence of controls in place, in operation and improving over time

3

ISO27001:2013 - why we did it

•  Already have a working IG framework in place that works for the IG Toolkit

•  Broader acceptance than IG Toolkit eg. DfE NPD •  Scope accurately reflects requirements and can adapt as they

change •  Can integrate requirements of IG Toolkit or other legal / regulatory •  Externally audited and certified to a standard •  Competitive advantage for UCL

4

ISO27001:2013 - overview

•  2013 version released late 2013, 2005 version ends 1st Oct 2015 •  Framework for managing information security requirements •  Not a set of technical requirements! •  Implementation depends on objectives and scope •  The standard

–  22 pages –  Two main parts:

1) Requirements of the standard - 7 sections, items 4 to 10 (9 pages) 2) Annex A - 114 controls (13 pages)

–  Requirements are mandatory –  Controls from Annex A must be considered in the context of a Risk Treatment

Plan –  Risk Treatment Plan is one of the requirements of the standard

5

ISO27001:2013 – some terminology

•  Conformance / non-conformance –  Evidence that a requirement of the standard or required control is / is not

implemented

•  Information Security Management System (ISMS) –  Term for the collection of policies, procedures, responsibilities and resources

that implement the requirements of the standard

•  Organisation –  Clearly defined in relation to the ISMS –  Includes ‘Top Management’

•  Statement of Applicability (SOA) –  Justification for inclusion or exclusion of Annex A controls

•  Scope –  Certification, Organisation, ISMS

6

ISO27001:2013 – confusion

•  ISO27001 compliant –  we’ve had a go, but not gone for certification (meaningless)

•  ISO27001 certified –  we’ve been successfully externally audited and are recognised as conforming

to the standard

•  ISO27001 accredited –  this applies to certification bodies, such as BSI, LRQA etc who certify others

•  ISO27002 –  Implementation guidance for controls

7

ISO27001:2013 – certification process

•  Develop your ISMS •  Internal audit – one or more iterations •  External Stage 1 audit

–  focus on documented information and compliance with the standard –  major non-conformities will require re-audit –  minor non-conformities and observations must be addressed before Stage 2

•  External Stage 2 audit –  focus on implementation and operation of controls –  major non-conformities will result in failure to achieve certification (this time) –  minor non-conformities and observations must be addressed in a Corrective

Action Plan

•  Certification – valid for 3 years –  Annual surveillance audit

•  Took 5 months to Stage 1, then another month to Stage 2

8

ISO27001:2013 – how we did it

•  Define the scope of the ISMS –  3 levels of scope –  Interested parties –  Internal and external

9

ISO27001:2013 – how we did it

•  Iterative process •  Build a ‘conformance matrix’ – yet another spreadsheet

–  link each requirement in the standard to an owner –  Record all documents that relate to that requirement –  Gap analysis and record of actions

•  SOA – first draft, based on existing controls –  Assigned owners to each control, which they reviewed

•  Identify key areas of risk through workshops –  Arrived at a list of 11 key risks eg. user deliberately or accidentally leaks

information; premises break-in; power failure –  Used UCL’s existing corporate risk model

•  Determine objectives for the ISMS –  Includes actions held in IG Toolkit improvement plan –  Identify metrics for measuring and reporting performance against objectives

eg. number of teams using Data Safe Haven 10

ISO27001:2013 – how we did it

•  Add appropriate terms to existing policies etc –  Reference to performance metrics in IG Policy and IG Steering Group ToR –  Addition of ‘root cause’ to action log

•  Internal audit –  Focus on key items, eg. Risk Treatment Plan –  ‘Big picture’ – is everything the standard requires in place?

•  Review of SOA based on outcome of audit –  Check implementation of applicable controls is adequate

•  Second internal audit •  Iterate

11

ISO27001:2013 – what we learnt

•  Engage with certification body early on –  Early in the v2013 version lifecycle, so few qualified auditors –  Can be long-winded

•  Get expert help –  Someone who has ‘been there and done it’ –  Project Manager to orchestrate the process –  Support in producing the required documentation

•  Don’t underestimate the time required and don’t rush the process –  Expertise is tied to busy people –  Time to gain familiarity with new terminology and change of approach

•  Be very clear about scopes: Organisation, Certification & ISMS –  Lack of clarity can lead to confusion later on –  Needs to support objectives

12

ISO27001:2013 – what we learnt

•  Start small and engage top management early in the process –  They need to approve changes –  Stage 2 audit includes an interview with top management

•  Don’t feel you have to use templates for your documents –  Feedback from audit noted that our documents were based on actual

requirements –  Everything you need is in the standard

•  Expect anything in the external audit –  Ensure everyone involved understands their role and is consistent –  Auditor met with end-users of the system

•  Don’t assume non-applicable controls aren’t implemented –  Sometimes, they’re non-applicable because the control is already in place

13

ISO27001:2013 – next steps

•  Let it bed in –  Internal audit will drive refinement

•  Map ISO27001:2013 controls to IG Toolkit evidence –  Align processes –  Simplify

•  Take advantage of the ISO ‘Common Text’ –  Same text and document structure and for all standards –  Once on is done, straightforward to manage others, eg. Business Continuity

•  Maintain our certification!

14

15

Where to find out more

IG Toolkit NHS-HE Forum Information Governance Working Group: https://community.jisc.ac.uk/groups/nhs-he-forum-connectivity-project/article/nhs-he-information-governance-working-group ISO27001:2013 Lots of websites… The standard: your university may have it in their electronic library collection Plenty of ISO27001 courses out there: BSI, IT Governance, LRQA

16

Questions

17