Más contenido relacionado


ISO 27001 - three years of lessons learned

  1. ISO 27001 - Three years of lessons learned Implementing an information security management system in a low regulation environment Richard Bartlett Head of the Clinical School Computing Service, University of Cambridge.
  2. Introduction In 2015 we embarked on a project to certify our ‘safe haven’ to ISO/IEC 27001:2013 This is why we chose the standard, how it helped us achieve our aims, and what we’d do differently next time.
  3. Caveat auditor Richard Bartlett : University of Cambridge : ISO 27001 3 I am not an expert in implementing the standard. A more accurate description of my understanding would be enthusiastic consumer.
  4. Why we chose ISO 27001 Part 1 – someone’s bright idea •We already had a ‘safe haven’ which was accredited under the Health and Social Care Information Commissioner (HSCIC) Information Governance Toolkit •This environment was secure(ish), but only based on ‘common sense’ and the requirements of the toolkit itself •A grant award at the Clinical School meant we needed to establish a link between the hospital network and the University •We now needed to increase the level of assurance in proportion to the risk, so what next? Richard Bartlett : University of Cambridge : ISO 27001 4
  5. Why we chose ISO 27001 Part 2 – using our network •The standard is comprehensive, but we were a small team, and University’s don’t rush towards regulation •The first breakthrough was a chance conversation at the Jisc NHS-HE Information Governance Working Group which provided a vital precedent This bullet point was sponsored by Jisc, providing digital solutions for UK education and research •The next step was identifying a consultant. We did our due diligence and the most compelling option was the consultant UCL had used, David Brewer Richard Bartlett : University of Cambridge : ISO 27001 5 •We did some feasibility work with David, which confirmed that yes, it was possible for us to implement the standard with the limited resources available
  6. Project Summary Richard Bartlett : University of Cambridge : ISO 27001 6 Resources 1.0 fte Senior Security Engineer 0.5 fte Project Manager Access to Infrastructure Team of 3x Network and 4x Server staff. 20 days of Consulting Management Support Head of Department = Project Senior Responsible Officer Management Team = Project Steering Group Joint highest priority project in the department Timeline January 2015 – Funding Secured August 2015 – Project kick off July 2016 – Stage One Audit September 2016 – Stage Two Audit and certification
  7. What ISO 27001 did for us The standard makes you consider .. •The needs and expectations of interested parties, (including) legal and regulator requirements and contractual obligations •The scope of the information security management system •Leadership and commitment (including appropriate policy and objectives, directing and supporting, continual improvement) •Roles, responsibilities and authorities Richard Bartlett : University of Cambridge : ISO 27001 7 Which helped us by .. •Making us start with stakeholders and requirements. Who were we doing this for? What did they need? •Clearly identifying what we needed to manage? This proved absolutely vital later on •Giving me (a huge security nerd) an active role in the project, managing people and things (but not securing anything) •Deciding who would actually be doing the work, and what resources were required (spoiler: this didn’t work)
  8. What ISO 27001 did for us (continued) •Information security risk assessment (including criteria for risk assessment and risk acceptance) •Awareness (of those doing work under the organization’s control) •Monitoring, measurement, analysis and evaluation (what is measured, how, when and by whom) •Internal audit (a programme of internal audits which checks for compliance with the organizations requirements and those of the standard) •Management Review (regular reviews of the management system by the management team) Richard Bartlett : University of Cambridge : ISO 27001 8 •Giving us a more structured and comprehensive approach to risk •Stopping us prioritizing specialist technical skills over the vital broader understanding in the team •Forcing us to measure the success of the system. Did it work? How do we know? What is success? •Ensuring we checked our own work before anyone else did! An extensive programme of internal audit is why we passed our external audits •Keeping the Management Team continually engaged well past certification is why we passed our continual assessments
  9. Problems we hit .. And how ISO 27001 helped We didn’t get a lot of the management system elements right the first time, or the second, or the third, or .. Richard Bartlett : University of Cambridge : ISO 27001 9 The monitoring and measurement, internal audits and management reviews helped discover those flaws and fix them. We experienced significant turnover, including key technical staff and our dedicated security resource (just after certification). The management system gave us visibility of workload, continuity of process and an audit trail. Result: no knowledge gaps.
  10. Next time .. This is what we’d do differently •Avoid single points of failure and put more effort into robust succession planning •Ring-fence staff to give them time to spend on risk assessment, risk treatment, audits etc. •Invest more time into building awareness amongst key stakeholders •Put more emphasis on continuous improvement and the lifecycle of the management system in staff training, and avoid the feeling of ‘box ticking’ Richard Bartlett : University of Cambridge : ISO 27001 10
  11. Key takeaways Richard Bartlett : University of Cambridge : ISO 27001 11 Robust internal audits got us through our external audits Controlling our scope controlled the cost and risk of implementation Management Reviews helped us maintain focus through certification and beyond You CAN implement an ISO 27001:2013 Information Security Management System with a small team
  12. Richard Bartlett Head of the Clinical School Computing Service

Hinweis der Redaktion

  1. Pun intended
  2. HSCIC IGT replaced by the NHS Digital Data Security and Protection Toolkit. There was a lot of room for improvement in the toolkit, with significant gaps in assurance. The grant required the transfer of patient data from the new Electronic Patient Record system into University systems (for storage, processing and analysis).
  3. The standard filled gaps in the HSCIC IG Toolkit (most if not all of which are now closed in the DSPT) That conversation was with Bridget Kenyon (then Head of Information Security at UCL, now Global CISO at Thales eSecurity), who had already implemented the standard, with a small team, in a University. This meant we knew it was possible. David Brewer literally wrote the book on implementing ISO 27001, and he is a UK representative to the international team who developed the standard. Now we had a project
  4. Keep this slide brief
  5. The ISMS should be something every knows about, and everyone can operate within if they need to Staff need time to do assurance properly, and ring-fencing them gives them that time, and me awareness of the cost of operating the system. Key stakeholders are vital to sustaining support for the system, so make sure they understand the value of the ISMS in their own terms. We have struggled to maintain quality and momentum, and next time we’ll make sure we focus on the continuous cycle, rather than just hitting certification.
  6. Scope is so vital. Don’t include in scope what you can’t control. Don’t include in scope what you don’t need to control. The ISMS organisation can be an entire institution “or part thereof”. Keeping HR out of scope, and the NHS whom we couldn’t control was vital. You save time if you audit everything before the external auditors do, otherwise you have to put more time in between stage one and two fixing things. Keep the management team engaged. No top down support will lead to failure. You can do this with a small team, IF you keep the scope proportionate!