ISO 27001 - Three years of
lessons learned
Implementing an information
security management system in
a low regulation environment
Richard Bartlett
Head of the Clinical School Computing
Service, University of Cambridge.

Introduction
In 2015 we embarked on a project to certify
our ‘safe haven’ to ISO/IEC 27001:2013
This is why we chose the standard, how it
helped us achieve our aims, and what we’d
do differently next time.

Caveat auditor
Richard Bartlett : University of Cambridge : ISO 27001 3
I am not an expert in implementing the
standard.
A more accurate description of my
understanding would be enthusiastic
consumer.

Why we chose ISO 27001
Part 1 – someone’s bright idea
•We already had a ‘safe haven’ which was accredited under the
Health and Social Care Information Commissioner (HSCIC)
Information Governance Toolkit
•This environment was secure(ish), but only based on ‘common
sense’ and the requirements of the toolkit itself
•A grant award at the Clinical School meant we needed to
establish a link between the hospital network and the
University
•We now needed to increase the level of assurance in
proportion to the risk, so what next?
Richard Bartlett : University of Cambridge : ISO 27001 4

Why we chose ISO 27001
Part 2 – using our network
•The standard is comprehensive, but we were a small team,
and University’s don’t rush towards regulation
•The first breakthrough was a chance conversation at the
Jisc NHS-HE Information Governance Working Group which
provided a vital precedent
This bullet point was sponsored by Jisc, providing digital solutions for UK education and research
•The next step was identifying a consultant. We did our due
diligence and the most compelling option was the consultant
UCL had used, David Brewer
Richard Bartlett : University of Cambridge : ISO 27001 5
•We did some feasibility work with David, which confirmed
that yes, it was possible for us to implement the standard
with the limited resources available

Project Summary
Richard Bartlett : University of Cambridge : ISO 27001 6
Resources
1.0 fte Senior Security Engineer
0.5 fte Project Manager
Access to Infrastructure Team of
3x Network and 4x Server staff.
20 days of Consulting
Management Support
Head of Department = Project
Senior Responsible Officer
Management Team = Project
Steering Group
Joint highest priority project in
the department
Timeline
January 2015 – Funding Secured
August 2015 – Project kick off
July 2016 – Stage One Audit
September 2016 – Stage Two
Audit and certification

What ISO 27001 did for us
The standard makes you consider ..
•The needs and expectations of interested
parties, (including) legal and regulator
requirements and contractual obligations
•The scope of the information security
management system
•Leadership and commitment (including
appropriate policy and objectives, directing and
supporting, continual improvement)
•Roles, responsibilities and authorities
Richard Bartlett : University of Cambridge : ISO 27001 7
Which helped us by ..
•Making us start with stakeholders and
requirements. Who were we doing this for?
What did they need?
•Clearly identifying what we needed to
manage? This proved absolutely vital
later on
•Giving me (a huge security nerd) an active
role in the project, managing people and
things (but not securing anything)
•Deciding who would actually be doing the
work, and what resources were required
(spoiler: this didn’t work)

What ISO 27001 did for us
(continued)
•Information security risk assessment
(including criteria for risk assessment and risk
acceptance)
•Awareness (of those doing work under the
organization’s control)
•Monitoring, measurement, analysis and
evaluation (what is measured, how, when and by
whom)
•Internal audit (a programme of internal audits
which checks for compliance with the
organizations requirements and those of the
standard)
•Management Review (regular reviews of the
management system by the management team)
Richard Bartlett : University of Cambridge : ISO 27001 8
•Giving us a more structured and
comprehensive approach to risk
•Stopping us prioritizing specialist technical
skills over the vital broader understanding in
the team
•Forcing us to measure the success of the
system. Did it work? How do we know?
What is success?
•Ensuring we checked our own work before
anyone else did! An extensive programme
of internal audit is why we passed our
external audits
•Keeping the Management Team continually
engaged well past certification is why we
passed our continual assessments

Problems we hit ..
And how ISO 27001 helped
We didn’t get a lot of the
management system
elements right the first
time, or the second, or the
third, or ..
Richard Bartlett : University of Cambridge : ISO 27001 9
The monitoring and
measurement, internal
audits and management
reviews helped discover
those flaws and fix them.
We experienced significant
turnover, including key
technical staff and our
dedicated security resource
(just after certification).
The management system
gave us visibility of
workload, continuity of
process and an audit trail.
Result: no knowledge gaps.

Next time ..
This is what we’d do differently
•Avoid single points of failure and put more effort
into robust succession planning
•Ring-fence staff to give them time to spend on risk
assessment, risk treatment, audits etc.
•Invest more time into building awareness
amongst key stakeholders
•Put more emphasis on continuous improvement
and the lifecycle of the management system in
staff training, and avoid the feeling of ‘box ticking’
Richard Bartlett : University of Cambridge : ISO 27001 10

Key takeaways
Richard Bartlett : University of Cambridge : ISO 27001 11
Robust internal audits got us through our external audits
Controlling our scope controlled the cost and risk of
implementation
Management Reviews helped us maintain focus through
certification and beyond
You CAN implement an ISO 27001:2013 Information
Security Management System with a small team

Richard Bartlett
Head of the Clinical School
Computing Service
rb467@cam.ac.uk