ISO 27001 Project

1

Red Island Consulting
ISO Standards Executive Briefing
to UKeHA
Special Interest Group
Management System Specialists
11/19/2009 54746 AM
2
ISO 9001, ISO 20000, ISO 27001

• What are they?
• What are the benefits?
• What are the NHS saying?
• How does that affect your organisation?

3
ISO 9001 Best Practice in Quality Management

• What is it?
• ISO 9001 is the internationally recognised
  standard for the quality management of
  businesses.
• It applies to the business processes that create
  and control the products and services an
  organisation supplies.
• It prescribes systematic control of activities to
  ensure that the needs and expectations of
  customers are met.
• It is designed and intended to apply to virtually
  any product or service, made by any process
  anywhere in the world.
• Largely an installed base (35,000 UK
  registrations)
• Yesterdays news?

4
ISO 9001

• What are the benefits?
• Implementing a Quality Management System will
  motivate staff by defining their key roles and
  responsibilities.
• Cost savings can be made through improved
  efficiency and productivity, as product or
  service deficiencies will be highlighted.
• From this, improvements can be developed,
  resulting in less waste, inappropriate or
  rejected work and fewer complaints.
• Customers will notice that orders are met
  consistently, on time and to the correct
  specification.
• This can open up the market place to increased
  opportunities.

5
ISO 9001

• What are the NHS saying and how does it affect
  you?
• NHS Purchasing and Supply Agency advocate best
  practice
• Do you supply product?
• Office Furniture, IT hardware and Software,
  Medical Equipment Supplies, Foodstuffs, Call
  offs etc..
• Does the NHS care about quality of these
  products?
• Does it care about customer service it receives?
  
• Do they want to track orders placed?
• Is it mentioned on tenders?
• ISO 9001 could be important

6
ISO 20000 Best Practice in IT Service Management

• What is it?
• The formulation of ITIL practices into an
  international standard
• Management of 13 key IT services to meet business
  requirements (predominantly
  internally focused)
• Specifies a number of closely related processes
  that brought together will help ensure that an
  organisation delivers managed IT services to its
  internal customers
• Comprehensive but not exhaustive
• Planning, implementing, monitoring, improvement
  of new and changed services

7
ISO20000

• 13 Key Processes

8
ISO 20000

• What are the benefits?
• A consistent approach to service management
• IT service provision becomes measurable and
  accountable
• Consistent levels of service are agreed
• Improved communication flows between IT and the
  business
• IT gain better understanding of the business
  requirement
• Reduced risk of business failure
• A reduction in the number of avoidable and repeat
  incidents
• Higher availability of systems and services

9
ISO 20000

• What are the NHS saying and how does it affect
  you?
• The NHS uses ISO 20000 as a requirement for
  outsourced IT services in its larger contracts.
  Only companies with ISO 20000 accreditation will
  be considered source BSi
• National Programme for IT Service Management
  (NPfIT SM) has specified ISO20000 for its
  suppliers (Local Service Providers etc.) - source
  The role of the NPfIT interim Helpdesk
• NPfIT SM have recommended ITIL is adopted
  throughout the NHS for service management
  activities within Cluster Offices, SHAs and all
  Trusts
• Are you an Application Service provider?
• Do you provide Helpdesk services to NHS clients?
• Does ISO 20000 appear on tender documents?
• ISO 20000 could be important

10
ISO 27001 Best Practice in Information Security

• What is it?
• A risk assessment of the threats to an
  organisations/customer information assets
• Selection and implementation of effective and
  relevant policy and control
• Continuous review and effective improvement
• Total information security risk management
• Risk Allocation- contracts,SLAs etc.
• Risk Mitigation-Security and control practices
• Risk Transfer-Insurance Liability
• Risk Assurance- audit certification
• Risk Acceptance-formal, transparent
• Protects the confidentiality, integrity and
  availability of organisational/third party
  information

11
ISO 27001

• What are the benefits?
• Reduction in possibly damaging/embarrassing
  information leaks and failures
• Total risk mitigation, security of brand equity
• Reduction in costs due to fewer security
  incidents
• Contractual compliance (NHS Contracts)
• Move risk to third parties
• Common policies and control across the whole
  organisation
• Increased staff awareness, involvement and
  empowerment
• Better monitored and audited systems and
  information flows
• The risk of prosecution is significantly reduced
• Systemised for life
• Protects Board, staff and organisation
• Its big in the NHS!!!

12
ISO27001

• What are the NHS saying and how does it affect
  you?
• Recommended by CfH for all Trusts
• Underpins NHS Trusts Information Governance
  directives (Caldicott etc.)
• Demonstrates compliance to N3 code of connection
• Contractual obligation for NPfIT Local Service
  Providers (LSPs)
• Obligatory for sub contractors of application
  services (PACs, RIS, PAS etc) through LSPs
• Contractual obligation for suppliers to the
  Extended Choice Network (ECN)
• Recommended/obligatory for Independent Sector
  Treatment Centre providers
• Recommended for all organisations exposed to
  Patient Identifiable Information and/or hospital
  information

13
ISO27001

• What are the NHS saying and how does it affect
  you?
• Do you have access to Patient Identifiable
  Information?
• Do you contract to LSP?
• Are you connected to NHS networks?
• Do your staff work at NHS sites?
• Does ISO27001 appear on tender documents?
• ISO27001 could be Essential

14
The ISO P-D-C-A Model
15
ISO27001

• Information is the lifeblood of an organisation.
  Identifying and protecting that information is
  the essence of ISO27001
• Information Assets exist in many forms
• Content, container, carrier
• Databases, applications, registries IT systems
• Legal, Board Organisational records
• Intellectual property
• Reputation
• People
• There are three aspects of Information Security
• Confidentiality- Protecting information from
  unauthorized disclosure
• Integrity- Protecting information from
  unauthorized modification and ensuring accuracy
  and completeness.
• Availability- Ensuring information is available
  when you need it

16
ISO27001

• Information Risk Management
• Board directors and executive management have a
  duty to protect the organisations information
  assets from risk.
• Once identified, a thorough Risk Assessment on
  these assets in accordance with ISO27001 will
  show how.
• Risk Allocation- contracts,SLAs etc.
• Risk Mitigation-Security and control practices
• Risk Transfer-Insurance Liability
• Risk Assurance- audit certification
• Risk Acceptance-formal, transparent
• A thorough risk assessment of your information
  assets provides the basis for your Information
  Security Management System (ISMS).
• ISO27001-Your security strategy.

17
ISO27001-Seven key steps to certification

• Asset ID
• Business Impact Analysis
• Risk Assessment
• Risk Treatment Plan
• Policy Procedure Documentation (ISMS)
• Implementation Awareness
• Certification Audits

18
3 Tiers of an ISMS (typically)

• Policy Guidance-Applies to all staff
• Email internet
• Handling information
• Reporting incidents/weaknesses
• Controls Procedures-Applies to specific
  functions
• Data back up, AV, build, change control,
  firewalls-IT
• Recruitment, training, staff starter/leaver-HR
• Compliance with contracts/SLAs,
  legislation-Legal
• Maintaining monitoring ISMS
• Security Forum-Each function/Dept represented
• Internal audits
• Investigating and learning from security
  incidents/weaknesses
• Security Officer
• The ISMS will change organically with the
  organisation to ensure continual improvement

19
Red Island ConsultingEuropes leading
providers of ISO27001 certification services

• ISO270012005 Certified
• ISO27001 Lead Auditors
• S-cat listed (as part of The Xansa Consortium)
• BSI Associate ISO27001 Consultancy Scheme member
• SGS approved consultants
•  HMG GSi NHS N3 connectivity auditors
•  Cabinet Office ITPC Scheme approved third party
  training provider
•  (ISC)² CPE Scheme approved third party training
  provider
•   UKs only UKAS/IRCA approved 5 day ISO27001
  Lead Auditor Course
• CESG CLAS approved Information Security
  Consultants as members of the CESG listed
  advisor scheme
•  Sponsor members of the British Quality
  Foundation

20
Any Questions ?