ISO 27001 Project - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

ISO 27001 Project

Description:

... resulting in less waste, inappropriate or rejected work and fewer complaints. ... Office Furniture, IT hardware and Software, Medical Equipment & Supplies, ... – PowerPoint PPT presentation

Number of Views:233
Avg rating:3.0/5.0
Slides: 21
Provided by: mandy53
Category:

less

Transcript and Presenter's Notes

Title: ISO 27001 Project


1

Red Island Consulting
ISO Standards Executive Briefing
to UKeHA
Special Interest Group
Management System Specialists
11/19/2009 54746 AM
2
ISO 9001, ISO 20000, ISO 27001
  • What are they?
  • What are the benefits?
  • What are the NHS saying?
  • How does that affect your organisation?

3
ISO 9001 Best Practice in Quality Management
  • What is it?
  • ISO 9001 is the internationally recognised
    standard for the quality management of
    businesses.
  • It applies to the business processes that create
    and control the products and services an
    organisation supplies.
  • It prescribes systematic control of activities to
    ensure that the needs and expectations of
    customers are met.
  • It is designed and intended to apply to virtually
    any product or service, made by any process
    anywhere in the world.
  • Largely an installed base (35,000 UK
    registrations)
  • Yesterdays news?

4
ISO 9001
  • What are the benefits?
  • Implementing a Quality Management System will
    motivate staff by defining their key roles and
    responsibilities.
  • Cost savings can be made through improved
    efficiency and productivity, as product or
    service deficiencies will be highlighted.
  • From this, improvements can be developed,
    resulting in less waste, inappropriate or
    rejected work and fewer complaints.
  • Customers will notice that orders are met
    consistently, on time and to the correct
    specification.
  • This can open up the market place to increased
    opportunities.

5
ISO 9001
  • What are the NHS saying and how does it affect
    you?
  • NHS Purchasing and Supply Agency advocate best
    practice
  • Do you supply product?
  • Office Furniture, IT hardware and Software,
    Medical Equipment Supplies, Foodstuffs, Call
    offs etc..
  • Does the NHS care about quality of these
    products?
  • Does it care about customer service it receives?
  • Do they want to track orders placed?
  • Is it mentioned on tenders?
  • ISO 9001 could be important

6
ISO 20000 Best Practice in IT Service Management
  • What is it?
  • The formulation of ITIL practices into an
    international standard
  • Management of 13 key IT services to meet business
    requirements (predominantly
    internally focused)
  • Specifies a number of closely related processes
    that brought together will help ensure that an
    organisation delivers managed IT services to its
    internal customers
  • Comprehensive but not exhaustive
  • Planning, implementing, monitoring, improvement
    of new and changed services

7
ISO20000
  • 13 Key Processes

8
ISO 20000
  • What are the benefits?
  • A consistent approach to service management
  • IT service provision becomes measurable and
    accountable
  • Consistent levels of service are agreed
  • Improved communication flows between IT and the
    business
  • IT gain better understanding of the business
    requirement
  • Reduced risk of business failure
  • A reduction in the number of avoidable and repeat
    incidents
  • Higher availability of systems and services

9
ISO 20000
  • What are the NHS saying and how does it affect
    you?
  • The NHS uses ISO 20000 as a requirement for
    outsourced IT services in its larger contracts.
    Only companies with ISO 20000 accreditation will
    be considered source BSi
  • National Programme for IT Service Management
    (NPfIT SM) has specified ISO20000 for its
    suppliers (Local Service Providers etc.) - source
    The role of the NPfIT interim Helpdesk
  • NPfIT SM have recommended ITIL is adopted
    throughout the NHS for service management
    activities within Cluster Offices, SHAs and all
    Trusts
  • Are you an Application Service provider?
  • Do you provide Helpdesk services to NHS clients?
  • Does ISO 20000 appear on tender documents?
  • ISO 20000 could be important

10
ISO 27001 Best Practice in Information Security
  • What is it?
  • A risk assessment of the threats to an
    organisations/customer information assets
  • Selection and implementation of effective and
    relevant policy and control
  • Continuous review and effective improvement
  • Total information security risk management
  • Risk Allocation- contracts,SLAs etc.
  • Risk Mitigation-Security and control practices
  • Risk Transfer-Insurance Liability
  • Risk Assurance- audit certification
  • Risk Acceptance-formal, transparent
  • Protects the confidentiality, integrity and
    availability of organisational/third party
    information

11
ISO 27001
  • What are the benefits?
  • Reduction in possibly damaging/embarrassing
    information leaks and failures
  • Total risk mitigation, security of brand equity
  • Reduction in costs due to fewer security
    incidents
  • Contractual compliance (NHS Contracts)
  • Move risk to third parties
  • Common policies and control across the whole
    organisation
  • Increased staff awareness, involvement and
    empowerment
  • Better monitored and audited systems and
    information flows
  • The risk of prosecution is significantly reduced
  • Systemised for life
  • Protects Board, staff and organisation
  • Its big in the NHS!!!

12
ISO27001
  • What are the NHS saying and how does it affect
    you?
  • Recommended by CfH for all Trusts
  • Underpins NHS Trusts Information Governance
    directives (Caldicott etc.)
  • Demonstrates compliance to N3 code of connection
  • Contractual obligation for NPfIT Local Service
    Providers (LSPs)
  • Obligatory for sub contractors of application
    services (PACs, RIS, PAS etc) through LSPs
  • Contractual obligation for suppliers to the
    Extended Choice Network (ECN)
  • Recommended/obligatory for Independent Sector
    Treatment Centre providers
  • Recommended for all organisations exposed to
    Patient Identifiable Information and/or hospital
    information

13
ISO27001
  • What are the NHS saying and how does it affect
    you?
  • Do you have access to Patient Identifiable
    Information?
  • Do you contract to LSP?
  • Are you connected to NHS networks?
  • Do your staff work at NHS sites?
  • Does ISO27001 appear on tender documents?
  • ISO27001 could be Essential

14
The ISO P-D-C-A Model
15
ISO27001
  • Information is the lifeblood of an organisation.
    Identifying and protecting that information is
    the essence of ISO27001
  • Information Assets exist in many forms
  • Content, container, carrier
  • Databases, applications, registries IT systems
  • Legal, Board Organisational records
  • Intellectual property
  • Reputation
  • People
  • There are three aspects of Information Security
  • Confidentiality- Protecting information from
    unauthorized disclosure
  • Integrity- Protecting information from
    unauthorized modification and ensuring accuracy
    and completeness.
  • Availability- Ensuring information is available
    when you need it

16
ISO27001
  • Information Risk Management
  • Board directors and executive management have a
    duty to protect the organisations information
    assets from risk.
  • Once identified, a thorough Risk Assessment on
    these assets in accordance with ISO27001 will
    show how.
  • Risk Allocation- contracts,SLAs etc.
  • Risk Mitigation-Security and control practices
  • Risk Transfer-Insurance Liability
  • Risk Assurance- audit certification
  • Risk Acceptance-formal, transparent
  • A thorough risk assessment of your information
    assets provides the basis for your Information
    Security Management System (ISMS).
  • ISO27001-Your security strategy.

17
ISO27001-Seven key steps to certification
  • Asset ID
  • Business Impact Analysis
  • Risk Assessment
  • Risk Treatment Plan
  • Policy Procedure Documentation (ISMS)
  • Implementation Awareness
  • Certification Audits

18
3 Tiers of an ISMS (typically)
  • Policy Guidance-Applies to all staff
  • Email internet
  • Handling information
  • Reporting incidents/weaknesses
  • Controls Procedures-Applies to specific
    functions
  • Data back up, AV, build, change control,
    firewalls-IT
  • Recruitment, training, staff starter/leaver-HR
  • Compliance with contracts/SLAs,
    legislation-Legal
  • Maintaining monitoring ISMS
  • Security Forum-Each function/Dept represented
  • Internal audits
  • Investigating and learning from security
    incidents/weaknesses
  • Security Officer
  • The ISMS will change organically with the
    organisation to ensure continual improvement

19
Red Island ConsultingEuropes leading
providers of ISO27001 certification services
  • ISO270012005 Certified
  • ISO27001 Lead Auditors
  • S-cat listed (as part of The Xansa Consortium)
  • BSI Associate ISO27001 Consultancy Scheme member
  • SGS approved consultants
  •  HMG GSi NHS N3 connectivity auditors
  •  Cabinet Office ITPC Scheme approved third party
    training provider
  •  (ISC)² CPE Scheme approved third party training
    provider
  •   UKs only UKAS/IRCA approved 5 day ISO27001
    Lead Auditor Course
  • CESG CLAS approved Information Security
    Consultants as members of the CESG listed
    advisor scheme
  •  Sponsor members of the British Quality
    Foundation

20
Any Questions ?
Write a Comment
User Comments (0)
About PowerShow.com