ISO 27001 Project - PowerPoint PPT Presentation


PPT – ISO 27001 Project PowerPoint presentation | free to view - id: 202d02-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

ISO 27001 Project


... resulting in less waste, inappropriate or rejected work and fewer complaints. ... Office Furniture, IT hardware and Software, Medical Equipment & Supplies, ... – PowerPoint PPT presentation

Number of Views:203
Avg rating:3.0/5.0
Slides: 21
Provided by: mandy53


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: ISO 27001 Project


Red Island Consulting
ISO Standards Executive Briefing
to UKeHA
Special Interest Group
Management System Specialists
11/19/2009 54746 AM
ISO 9001, ISO 20000, ISO 27001
  • What are they?
  • What are the benefits?
  • What are the NHS saying?
  • How does that affect your organisation?

ISO 9001 Best Practice in Quality Management
  • What is it?
  • ISO 9001 is the internationally recognised
    standard for the quality management of
  • It applies to the business processes that create
    and control the products and services an
    organisation supplies.
  • It prescribes systematic control of activities to
    ensure that the needs and expectations of
    customers are met.
  • It is designed and intended to apply to virtually
    any product or service, made by any process
    anywhere in the world.
  • Largely an installed base (35,000 UK
  • Yesterdays news?

ISO 9001
  • What are the benefits?
  • Implementing a Quality Management System will
    motivate staff by defining their key roles and
  • Cost savings can be made through improved
    efficiency and productivity, as product or
    service deficiencies will be highlighted.
  • From this, improvements can be developed,
    resulting in less waste, inappropriate or
    rejected work and fewer complaints.
  • Customers will notice that orders are met
    consistently, on time and to the correct
  • This can open up the market place to increased

ISO 9001
  • What are the NHS saying and how does it affect
  • NHS Purchasing and Supply Agency advocate best
  • Do you supply product?
  • Office Furniture, IT hardware and Software,
    Medical Equipment Supplies, Foodstuffs, Call
    offs etc..
  • Does the NHS care about quality of these
  • Does it care about customer service it receives?
  • Do they want to track orders placed?
  • Is it mentioned on tenders?
  • ISO 9001 could be important

ISO 20000 Best Practice in IT Service Management
  • What is it?
  • The formulation of ITIL practices into an
    international standard
  • Management of 13 key IT services to meet business
    requirements (predominantly
    internally focused)
  • Specifies a number of closely related processes
    that brought together will help ensure that an
    organisation delivers managed IT services to its
    internal customers
  • Comprehensive but not exhaustive
  • Planning, implementing, monitoring, improvement
    of new and changed services

  • 13 Key Processes

ISO 20000
  • What are the benefits?
  • A consistent approach to service management
  • IT service provision becomes measurable and
  • Consistent levels of service are agreed
  • Improved communication flows between IT and the
  • IT gain better understanding of the business
  • Reduced risk of business failure
  • A reduction in the number of avoidable and repeat
  • Higher availability of systems and services

ISO 20000
  • What are the NHS saying and how does it affect
  • The NHS uses ISO 20000 as a requirement for
    outsourced IT services in its larger contracts.
    Only companies with ISO 20000 accreditation will
    be considered source BSi
  • National Programme for IT Service Management
    (NPfIT SM) has specified ISO20000 for its
    suppliers (Local Service Providers etc.) - source
    The role of the NPfIT interim Helpdesk
  • NPfIT SM have recommended ITIL is adopted
    throughout the NHS for service management
    activities within Cluster Offices, SHAs and all
  • Are you an Application Service provider?
  • Do you provide Helpdesk services to NHS clients?
  • Does ISO 20000 appear on tender documents?
  • ISO 20000 could be important

ISO 27001 Best Practice in Information Security
  • What is it?
  • A risk assessment of the threats to an
    organisations/customer information assets
  • Selection and implementation of effective and
    relevant policy and control
  • Continuous review and effective improvement
  • Total information security risk management
  • Risk Allocation- contracts,SLAs etc.
  • Risk Mitigation-Security and control practices
  • Risk Transfer-Insurance Liability
  • Risk Assurance- audit certification
  • Risk Acceptance-formal, transparent
  • Protects the confidentiality, integrity and
    availability of organisational/third party

ISO 27001
  • What are the benefits?
  • Reduction in possibly damaging/embarrassing
    information leaks and failures
  • Total risk mitigation, security of brand equity
  • Reduction in costs due to fewer security
  • Contractual compliance (NHS Contracts)
  • Move risk to third parties
  • Common policies and control across the whole
  • Increased staff awareness, involvement and
  • Better monitored and audited systems and
    information flows
  • The risk of prosecution is significantly reduced
  • Systemised for life
  • Protects Board, staff and organisation
  • Its big in the NHS!!!

  • What are the NHS saying and how does it affect
  • Recommended by CfH for all Trusts
  • Underpins NHS Trusts Information Governance
    directives (Caldicott etc.)
  • Demonstrates compliance to N3 code of connection
  • Contractual obligation for NPfIT Local Service
    Providers (LSPs)
  • Obligatory for sub contractors of application
    services (PACs, RIS, PAS etc) through LSPs
  • Contractual obligation for suppliers to the
    Extended Choice Network (ECN)
  • Recommended/obligatory for Independent Sector
    Treatment Centre providers
  • Recommended for all organisations exposed to
    Patient Identifiable Information and/or hospital

  • What are the NHS saying and how does it affect
  • Do you have access to Patient Identifiable
  • Do you contract to LSP?
  • Are you connected to NHS networks?
  • Do your staff work at NHS sites?
  • Does ISO27001 appear on tender documents?
  • ISO27001 could be Essential

The ISO P-D-C-A Model
  • Information is the lifeblood of an organisation.
    Identifying and protecting that information is
    the essence of ISO27001
  • Information Assets exist in many forms
  • Content, container, carrier
  • Databases, applications, registries IT systems
  • Legal, Board Organisational records
  • Intellectual property
  • Reputation
  • People
  • There are three aspects of Information Security
  • Confidentiality- Protecting information from
    unauthorized disclosure
  • Integrity- Protecting information from
    unauthorized modification and ensuring accuracy
    and completeness.
  • Availability- Ensuring information is available
    when you need it

  • Information Risk Management
  • Board directors and executive management have a
    duty to protect the organisations information
    assets from risk.
  • Once identified, a thorough Risk Assessment on
    these assets in accordance with ISO27001 will
    show how.
  • Risk Allocation- contracts,SLAs etc.
  • Risk Mitigation-Security and control practices
  • Risk Transfer-Insurance Liability
  • Risk Assurance- audit certification
  • Risk Acceptance-formal, transparent
  • A thorough risk assessment of your information
    assets provides the basis for your Information
    Security Management System (ISMS).
  • ISO27001-Your security strategy.

ISO27001-Seven key steps to certification
  • Asset ID
  • Business Impact Analysis
  • Risk Assessment
  • Risk Treatment Plan
  • Policy Procedure Documentation (ISMS)
  • Implementation Awareness
  • Certification Audits

3 Tiers of an ISMS (typically)
  • Policy Guidance-Applies to all staff
  • Email internet
  • Handling information
  • Reporting incidents/weaknesses
  • Controls Procedures-Applies to specific
  • Data back up, AV, build, change control,
  • Recruitment, training, staff starter/leaver-HR
  • Compliance with contracts/SLAs,
  • Maintaining monitoring ISMS
  • Security Forum-Each function/Dept represented
  • Internal audits
  • Investigating and learning from security
  • Security Officer
  • The ISMS will change organically with the
    organisation to ensure continual improvement

Red Island ConsultingEuropes leading
providers of ISO27001 certification services
  • ISO270012005 Certified
  • ISO27001 Lead Auditors
  • S-cat listed (as part of The Xansa Consortium)
  • BSI Associate ISO27001 Consultancy Scheme member
  • SGS approved consultants
  •  HMG GSi NHS N3 connectivity auditors
  •  Cabinet Office ITPC Scheme approved third party
    training provider
  •  (ISC)² CPE Scheme approved third party training
  •   UKs only UKAS/IRCA approved 5 day ISO27001
    Lead Auditor Course
  • CESG CLAS approved Information Security
    Consultants as members of the CESG listed
    advisor scheme
  •  Sponsor members of the British Quality

Any Questions ?