The ISO 27000 family of standards helps organizations keep information assets secure.
Using this family of standards helps organisations manage the security of assets such as financial information, intellectual property, employee details or information entrusted to them by third parties.
ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
We are very pleased to announce that we have been formally awarded the ISO27001 accreditation for the management of the Microsoft Exchange email system on 23rd May 2016!
This is a significant achievement that is a direct reflection of the commitment and positive collaboration shown by all those involved in the ISO Project.
We understand how important it is to provide assurance to our partners that our products and services are delivered in a safe and secure manner.
A number of governance frameworks already exist which are intended to provide such assurances (e.g. NHS Information Governance Toolkit (IGT), Cyber Security Essentials etc.). However the ‘industry standard’ is ISO27001:2013. The framework is designed to ensure that these processes are embedded within the organisation and that improvements in control and governance are adopted as new risks and threats are identified.
LHIS has been considering the need to provide the highest level of assurance concerning the delivery of its services and, therefore, has been seeking the ISO27001 accreditation for a defined area within its portfolio of services. To support other healthcare initiatives and national projects, this area was identified as the secure management of the Microsoft Exchange email system. This allowed LHIS to understand the implications of acquiring the ISO accreditation and also support strategic healthcare plans by complying with HSCIC security standards (e.g. ISB1596 Secure Email Standard).
What was involved?
The ISO project was initiated in autumn 2015 by bringing together a number of technical and support staff from LHIS operational services. In many instances, the programme of work required the review of existing policies and procedures to make sure they addressed the specific requirements of the ISO standard.
In a small number of cases, new policies and were developed to document processes and procedures whilst others were expanded and amended accordingly. This was quite a time consuming exercise but the positive collaboration of the team resulted in a shared approach which reduced the pressure on individual contributors. With the knowledge, skills and experience of the staff involved, we were also able to conduct this exercise without the need for external consultants or specialist input, which reduced the costs and timescales dramatically!
In May 2016, we were visited by the ISO compliancy auditor who conducted the first phase review. The accreditation audit normally requires two visits, the first of which is a ‘gap analysis’ and the second is the accreditation review. In this instance only one visit was required!
Following this success, LHIS is now considering the further exploitation of the knowledge and experience acquired. This will result in the expansion of the ISO27001 process into other service areas and the potential adoption of related standards (e.g. ISO9000 Quality Management).