SlideShare una empresa de Scribd logo

ISO 27001 - three years of lessons learned

Descargar como PPTX, PDF
Jisc
Jisc

A presentation from the Jisc security conference 2018 by Richard Bartlett, head of the Clinical School Computing Service, University of Cambridge.

Tecnología
1 de 12
ISO 27001 - Three years of lessons learned Implementing an information security management system in a low regulation environment Richard Bartlett Head of the Clinical School Computing Service, University of Cambridge.
Introduction In 2015 we embarked on a project to certify our ‘safe haven’ to ISO/IEC 27001:2013 This is why we chose the standard, how it helped us achieve our aims, and what we’d do differently next time.
Caveat auditor Richard Bartlett : University of Cambridge : ISO 27001 3 I am not an expert in implementing the standard. A more accurate description of my understanding would be enthusiastic consumer.
Why we chose ISO 27001 Part 1 – someone’s bright idea •We already had a ‘safe haven’ which was accredited under the Health and Social Care Information Commissioner (HSCIC) Information Governance Toolkit •This environment was secure(ish), but only based on ‘common sense’ and the requirements of the toolkit itself •A grant award at the Clinical School meant we needed to establish a link between the hospital network and the University •We now needed to increase the level of assurance in proportion to the risk, so what next? Richard Bartlett : University of Cambridge : ISO 27001 4
Why we chose ISO 27001 Part 2 – using our network •The standard is comprehensive, but we were a small team, and University’s don’t rush towards regulation •The first breakthrough was a chance conversation at the Jisc NHS-HE Information Governance Working Group which provided a vital precedent This bullet point was sponsored by Jisc, providing digital solutions for UK education and research •The next step was identifying a consultant. We did our due diligence and the most compelling option was the consultant UCL had used, David Brewer Richard Bartlett : University of Cambridge : ISO 27001 5 •We did some feasibility work with David, which confirmed that yes, it was possible for us to implement the standard with the limited resources available
Project Summary Richard Bartlett : University of Cambridge : ISO 27001 6 Resources 1.0 fte Senior Security Engineer 0.5 fte Project Manager Access to Infrastructure Team of 3x Network and 4x Server staff. 20 days of Consulting Management Support Head of Department = Project Senior Responsible Officer Management Team = Project Steering Group Joint highest priority project in the department Timeline January 2015 – Funding Secured August 2015 – Project kick off July 2016 – Stage One Audit September 2016 – Stage Two Audit and certification
What ISO 27001 did for us The standard makes you consider .. •The needs and expectations of interested parties, (including) legal and regulator requirements and contractual obligations •The scope of the information security management system •Leadership and commitment (including appropriate policy and objectives, directing and supporting, continual improvement) •Roles, responsibilities and authorities Richard Bartlett : University of Cambridge : ISO 27001 7 Which helped us by .. •Making us start with stakeholders and requirements. Who were we doing this for? What did they need? •Clearly identifying what we needed to manage? This proved absolutely vital later on •Giving me (a huge security nerd) an active role in the project, managing people and things (but not securing anything) •Deciding who would actually be doing the work, and what resources were required (spoiler: this didn’t work)
What ISO 27001 did for us (continued) •Information security risk assessment (including criteria for risk assessment and risk acceptance) •Awareness (of those doing work under the organization’s control) •Monitoring, measurement, analysis and evaluation (what is measured, how, when and by whom) •Internal audit (a programme of internal audits which checks for compliance with the organizations requirements and those of the standard) •Management Review (regular reviews of the management system by the management team) Richard Bartlett : University of Cambridge : ISO 27001 8 •Giving us a more structured and comprehensive approach to risk •Stopping us prioritizing specialist technical skills over the vital broader understanding in the team •Forcing us to measure the success of the system. Did it work? How do we know? What is success? •Ensuring we checked our own work before anyone else did! An extensive programme of internal audit is why we passed our external audits •Keeping the Management Team continually engaged well past certification is why we passed our continual assessments
Problems we hit .. And how ISO 27001 helped We didn’t get a lot of the management system elements right the first time, or the second, or the third, or .. Richard Bartlett : University of Cambridge : ISO 27001 9 The monitoring and measurement, internal audits and management reviews helped discover those flaws and fix them. We experienced significant turnover, including key technical staff and our dedicated security resource (just after certification). The management system gave us visibility of workload, continuity of process and an audit trail. Result: no knowledge gaps.
Next time .. This is what we’d do differently •Avoid single points of failure and put more effort into robust succession planning •Ring-fence staff to give them time to spend on risk assessment, risk treatment, audits etc. •Invest more time into building awareness amongst key stakeholders •Put more emphasis on continuous improvement and the lifecycle of the management system in staff training, and avoid the feeling of ‘box ticking’ Richard Bartlett : University of Cambridge : ISO 27001 10
Key takeaways Richard Bartlett : University of Cambridge : ISO 27001 11 Robust internal audits got us through our external audits Controlling our scope controlled the cost and risk of implementation Management Reviews helped us maintain focus through certification and beyond You CAN implement an ISO 27001:2013 Information Security Management System with a small team
Richard Bartlett Head of the Clinical School Computing Service rb467@cam.ac.uk

Recomendados

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 

Recomendados

ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
Midhun Nirmal
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
Imran Ahmed
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
scttmcvy
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
Tanmay Shinde
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
Mart Rovers
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
ControlCase
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
Dipin Sharma
 
Iso 27001 lead auditor
Iso 27001 lead auditorIso 27001 lead auditor
Iso 27001 lead auditor
IEVISION IT SERVICES Pvt. Ltd
 

Más contenido relacionado

La actualidad más candente

ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 

La actualidad más candente (20)

ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Iso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training courseIso iec 27032 foundation - cybersecurity training course
Iso iec 27032 foundation - cybersecurity training course
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 

Similar a ISO 27001 - three years of lessons learned

ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
Operational Excellence Consulting
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys Profile
Birendra Raturi
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
PECB
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001
Mohamad Khachab
 

Similar a ISO 27001 - three years of lessons learned (20)

Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Iso 27001 lead auditor
Iso 27001 lead auditorIso 27001 lead auditor
Iso 27001 lead auditor
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
iso 27001 certification
iso 27001 certificationiso 27001 certification
iso 27001 certification
 
Intro to ISO
Intro to ISOIntro to ISO
Intro to ISO
 
Iso 27001 2013
Iso 27001 2013Iso 27001 2013
Iso 27001 2013
 
Qsys Profile
Qsys ProfileQsys Profile
Qsys Profile
 
ISO 27001 Lead Auditor with Net Security Training
ISO 27001 Lead Auditor with Net Security Training ISO 27001 Lead Auditor with Net Security Training
ISO 27001 Lead Auditor with Net Security Training
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Damco iso 27001
Damco iso 27001Damco iso 27001
Damco iso 27001
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf
 
Ants and Elephants in the CISO's Office by Paul Rain
Ants and Elephants in the CISO's Office by Paul RainAnts and Elephants in the CISO's Office by Paul Rain
Ants and Elephants in the CISO's Office by Paul Rain
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital TransformationISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
ISO/IEC 27001 and ISO/IEC 27032:2023 - Safeguarding Your Digital Transformation
 
Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001Khachab-Top Management role to implement ISO 27001
Khachab-Top Management role to implement ISO 27001
 

Más de Jisc

Más de Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

ISO 27001 - three years of lessons learned

  • 1. ISO 27001 - Three years of lessons learned Implementing an information security management system in a low regulation environment Richard Bartlett Head of the Clinical School Computing Service, University of Cambridge.
  • 2. Introduction In 2015 we embarked on a project to certify our ‘safe haven’ to ISO/IEC 27001:2013 This is why we chose the standard, how it helped us achieve our aims, and what we’d do differently next time.
  • 3. Caveat auditor Richard Bartlett : University of Cambridge : ISO 27001 3 I am not an expert in implementing the standard. A more accurate description of my understanding would be enthusiastic consumer.
  • 4. Why we chose ISO 27001 Part 1 – someone’s bright idea •We already had a ‘safe haven’ which was accredited under the Health and Social Care Information Commissioner (HSCIC) Information Governance Toolkit •This environment was secure(ish), but only based on ‘common sense’ and the requirements of the toolkit itself •A grant award at the Clinical School meant we needed to establish a link between the hospital network and the University •We now needed to increase the level of assurance in proportion to the risk, so what next? Richard Bartlett : University of Cambridge : ISO 27001 4
  • 5. Why we chose ISO 27001 Part 2 – using our network •The standard is comprehensive, but we were a small team, and University’s don’t rush towards regulation •The first breakthrough was a chance conversation at the Jisc NHS-HE Information Governance Working Group which provided a vital precedent This bullet point was sponsored by Jisc, providing digital solutions for UK education and research •The next step was identifying a consultant. We did our due diligence and the most compelling option was the consultant UCL had used, David Brewer Richard Bartlett : University of Cambridge : ISO 27001 5 •We did some feasibility work with David, which confirmed that yes, it was possible for us to implement the standard with the limited resources available
  • 6. Project Summary Richard Bartlett : University of Cambridge : ISO 27001 6 Resources 1.0 fte Senior Security Engineer 0.5 fte Project Manager Access to Infrastructure Team of 3x Network and 4x Server staff. 20 days of Consulting Management Support Head of Department = Project Senior Responsible Officer Management Team = Project Steering Group Joint highest priority project in the department Timeline January 2015 – Funding Secured August 2015 – Project kick off July 2016 – Stage One Audit September 2016 – Stage Two Audit and certification
  • 7. What ISO 27001 did for us The standard makes you consider .. •The needs and expectations of interested parties, (including) legal and regulator requirements and contractual obligations •The scope of the information security management system •Leadership and commitment (including appropriate policy and objectives, directing and supporting, continual improvement) •Roles, responsibilities and authorities Richard Bartlett : University of Cambridge : ISO 27001 7 Which helped us by .. •Making us start with stakeholders and requirements. Who were we doing this for? What did they need? •Clearly identifying what we needed to manage? This proved absolutely vital later on •Giving me (a huge security nerd) an active role in the project, managing people and things (but not securing anything) •Deciding who would actually be doing the work, and what resources were required (spoiler: this didn’t work)
  • 8. What ISO 27001 did for us (continued) •Information security risk assessment (including criteria for risk assessment and risk acceptance) •Awareness (of those doing work under the organization’s control) •Monitoring, measurement, analysis and evaluation (what is measured, how, when and by whom) •Internal audit (a programme of internal audits which checks for compliance with the organizations requirements and those of the standard) •Management Review (regular reviews of the management system by the management team) Richard Bartlett : University of Cambridge : ISO 27001 8 •Giving us a more structured and comprehensive approach to risk •Stopping us prioritizing specialist technical skills over the vital broader understanding in the team •Forcing us to measure the success of the system. Did it work? How do we know? What is success? •Ensuring we checked our own work before anyone else did! An extensive programme of internal audit is why we passed our external audits •Keeping the Management Team continually engaged well past certification is why we passed our continual assessments
  • 9. Problems we hit .. And how ISO 27001 helped We didn’t get a lot of the management system elements right the first time, or the second, or the third, or .. Richard Bartlett : University of Cambridge : ISO 27001 9 The monitoring and measurement, internal audits and management reviews helped discover those flaws and fix them. We experienced significant turnover, including key technical staff and our dedicated security resource (just after certification). The management system gave us visibility of workload, continuity of process and an audit trail. Result: no knowledge gaps.
  • 10. Next time .. This is what we’d do differently •Avoid single points of failure and put more effort into robust succession planning •Ring-fence staff to give them time to spend on risk assessment, risk treatment, audits etc. •Invest more time into building awareness amongst key stakeholders •Put more emphasis on continuous improvement and the lifecycle of the management system in staff training, and avoid the feeling of ‘box ticking’ Richard Bartlett : University of Cambridge : ISO 27001 10
  • 11. Key takeaways Richard Bartlett : University of Cambridge : ISO 27001 11 Robust internal audits got us through our external audits Controlling our scope controlled the cost and risk of implementation Management Reviews helped us maintain focus through certification and beyond You CAN implement an ISO 27001:2013 Information Security Management System with a small team
  • 12. Richard Bartlett Head of the Clinical School Computing Service rb467@cam.ac.uk

Notas del editor

  1. Pun intended
  2. HSCIC IGT replaced by the NHS Digital Data Security and Protection Toolkit. There was a lot of room for improvement in the toolkit, with significant gaps in assurance. The grant required the transfer of patient data from the new Electronic Patient Record system into University systems (for storage, processing and analysis).
  3. The standard filled gaps in the HSCIC IG Toolkit (most if not all of which are now closed in the DSPT) That conversation was with Bridget Kenyon (then Head of Information Security at UCL, now Global CISO at Thales eSecurity), who had already implemented the standard, with a small team, in a University. This meant we knew it was possible. David Brewer literally wrote the book on implementing ISO 27001, and he is a UK representative to the international team who developed the standard. Now we had a project
  4. Keep this slide brief
  5. The ISMS should be something every knows about, and everyone can operate within if they need to Staff need time to do assurance properly, and ring-fencing them gives them that time, and me awareness of the cost of operating the system. Key stakeholders are vital to sustaining support for the system, so make sure they understand the value of the ISMS in their own terms. We have struggled to maintain quality and momentum, and next time we’ll make sure we focus on the continuous cycle, rather than just hitting certification.
  6. Scope is so vital. Don’t include in scope what you can’t control. Don’t include in scope what you don’t need to control. The ISMS organisation can be an entire institution “or part thereof”. Keeping HR out of scope, and the NHS whom we couldn’t control was vital. You save time if you audit everything before the external auditors do, otherwise you have to put more time in between stage one and two fixing things. Keep the management team engaged. No top down support will lead to failure. You can do this with a small team, IF you keep the scope proportionate!