ISO 27001 Information Security Management Services (Lot 4)



Similar documents
Service Desk Triage for Cloud Support (Lot 4) Service: 5.G

Health Informatics Service Accreditation Manual. Assessment Process. May 2013, Version 1

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES

Digital Forensics G-Cloud Service Definition

Procuring Penetration Testing Services

Information Governance Framework and Strategy. November 2014

ESKISP Manage security testing

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

ESKISP Conduct security testing, under supervision

Cyber Essentials Scheme. Protect your business from cyber threats and gain valuable certification

How small and medium-sized enterprises can formulate an information security management system

Procurement Policy Note Use of Cyber Essentials Scheme certification

Application Guidance CCP Penetration Tester Role, Practitioner Level

Cyber security. Cyber Security. Digital Employee Experience. Digital Customer Experience. Digital Insight. Payments. Internet of Things

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

How To Ensure Information Security In Nhs.Org.Uk

Preparing yourself for ISO/IEC

NSW Government Digital Information Security Policy

G Cloud III Framework Lot 4 (SCS) Project Management

CYBER SECURITY TRAINING SAFE AND SECURE

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Service Definition Document

Safety by trust: British model of cyber security. David Wallace, First Secretary, Head of of the Policy Delivery Group British Embassy in Warsaw

I.T. Security Specialists. Cyber Security Solutions and Services. Caretower Corporate Brochure

IRAP Policy and Procedures up to date as of 16 September 2014.

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

Information Security Management System (ISMS) Policy

NSW Government Digital Information Security Policy

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Addressing Cyber Risk Building robust cyber governance

Consultants Alliance LLC. Professional Development Programs

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

Deloitte Service Code: D-G6-L4-543 December 2014

ediscovery G-Cloud V Service Definition Lot 4 SCS Contact us: Danielle Pratt Tel: G-Cloud@esynergy-solutions.co.

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

HealthCare Information Security and Privacy Practitioner (HCISPP) Briefing Paper. Piloted by the Cyber Security Programme

Overview TECHIS Carry out security testing activities

Cyber Security solutions

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Cyber Essentials Scheme. Summary

Embrace the G-Cloud. Ultra Secure Colocation Services for the Public Sector. thebunker.net Phone: Fax:

Information Governance Strategy :

GPG13 Protective Monitoring. Service Definition

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

A Guide to the Cyber Essentials Scheme

JOB DESCRIPTION. Information Governance Manager

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Smart Security. Smart Compliance.

PSN Protective Monitoring. Service Definition

The new Family of Standards & ISO/IEC 27001

ESKISP Direct security testing

Information Governance Policy

G-Cloud Service Definition. Atos Information Security Wireless Scanning Service

ISO27032 Guidelines for Cyber Security

Specialist Cloud Services. Acumin Cloud Security Resourcing

How To Help Your Business Succeed

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

1 P a g e BUSINESS INTELLIGENCE STRATEGIC PLAN & ROADMAP

Cyber Essentials Scheme

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

Cyber Security - What Would a Breach Really Mean for your Business?

Information Governance Strategy Includes Information risk & incident management methodology

Digital Leaders Survey

JOB DESCRIPTION. Principal Duties and Responsibilities

ANNEX B. Terms of Reference. CTBTO Information Security Management System Support on Call-off Basis

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

INTELLIGENCE. RISK MITIGATION. RESPONSE. CONSULTANCY.

Small businesses: What you need to know about cyber security

ISO/IEC 20000: 2011 IT Service Management. Tying together all your IT processes Product Guide

HSCIC Audit of Data Sharing Activities:

The enemies ashore Vulnerabilities & hackers: A relationship that works

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

G-Cloud Definition of Services Security Penetration Testing

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

JOB DESCRIPTION. Contract Management and Business Intelligence

Information Governance Strategy and Policy. OFFICIAL Ownership: Information Governance Group Date Issued: 15/01/2015 Version: 2.

Protecting your business interests through intelligent IT security services, consultancy and training

CBEST FAQ February 2015

JOB DESCRIPTION. Organisation Chart. Customer BI Lead. Business Insight Lead. Business Insight Manager

STL Microsoft SharePoint Consulting and Support Services

G-Cloud IV Services Service Definition Accenture Cloud Security Services

Citrix XenApp Design & Implementation Service

Transcription:

ISO 27001 Information Security Management Services (Lot 4)

CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. EXPERIENCE... 4 5. PRE ISO 27001... 7 6. OUR PEOPLE... 7 7. ORDERING AND INVOICING PROCESS... 8 8. FURTHER INFORMATION... 8 Author: Colin Swift Product Manager colin.swift@leics-his.nhs.uk Prepared for: The Health Informatics Service is provided by Leicestershire Partnership NHS Trust on behalf of the Leicester, Leicestershire and Rutland Health Community Page 2 of 9

1. Why Leicestershire Health Informatics Service? Leicestershire Health Informatics Service (LHIS) is hosted by the Leicestershire Partnership NHS Trust. The Trust serves a population of one million people across Leicester, Leicestershire and Rutland and has a budget in excess of 250 million and employs over 5,000 staff in a wide variety of roles. This hosting arrangement provides LHIS with a sound financial and organisation platform from which to operate along sound business practices. LHIS provides a vast range of IT products, services and solutions to its clients. LHIS delivers these solutions nationwide to all sectors of the Healthcare market and beyond including primary care NHS Trusts, Clinical Commissioning Groups (CCG s), Commissioning Support Units (CSU), care homes, hospices and General Practices, Acute Hospital Trusts, arm s length bodies and Any Qualified Providers (AQP s). LHIS has approximately 130 highly qualified IT staff including dedicated teams of project managers, change managers, web developers, application developers, content editors, I.T trainers, service desk analysts, business intelligence and data warehousing staff, network engineers, desktop and enterprise support. As an NHS organisation LHIS has extensive experience of NHS standards, clinical systems security, NHS procedures, information governance and risk management. LHIS has passed its Health Informatics Standards Accreditation (HISA); this has been developed by the HSCIC to allow commissioners of IM&T services within the NHS to build this as a quality standard that they should look for when considering future supply. The LHIS client base has grown through word of mouth recommendations based on LHIS s excellent track record of service and delivery to include non NHS public sector organisations such as Councils, Charities, Schools and Colleges. 2. LHIS Technical Assurance Services LHIS Technical Assurance Services works with a wide range of public and private sector bodies including: Arm s Length Bodies Acute, Mental Health and Community NHS Trusts Blue light services Central Government e.g. The Cabinet Office Clinical Commissioning Groups (CCG s) Commissioning Support Units (CSU s) District and Borough Councils General Practices (GPs) Hospices and other 3 rd Sector organisations Universities, Schools & Academy chains LHIS is accredited under the Cyber Essentials and IASME schemes and is currently working towards CREST membership with a view to being members shortly after the framework commences. Page 3 of 9

3. Service overview LHIS ISO 27001 services enable organisations to comply with and if required gain ISO27001 certification. The standard has many benefits for organisations moving to Cloud based services or with Cloud services implemented. The controls contained within ISO 27001 address data availability, confidentiality, integrity and privacy all areas that need to be addressed with Cloud based services. The development of Risk Management allows the organisation to understand the level of risk to ensure the risk is consummate with the organisational tolerances. LHIS is used to working closely with public sector customers and colleagues to provide contextually appropriate advice and guidance. Our Technical Assurance Services routinely work on-site at customer locations and have regular contact with customers via phone and email. In terms of onsite working and support LHIS is based in Leicester which is centrally located to provide support at any UK office location. 4. Experience LHIS has supported large public sector organisations with ISO 27001 accreditation. This includes some of the biggest and busiest NHS trusts and public sector organisations in the country. A recent example employs more than 12,000 staff providing a range of services primarily for over one million residents of Leicester, Leicestershire and Rutland. LHIS was selected by the outsourced ICT service provider to provide services to the organisation with its ISO 27001 accreditation. This support has been so successful that LHIS has been asked to increase the scope of its support to cover the full ISO 27001 framework. On a smaller scale LHIS also has experience of: Development of Information Security Management Systems (ISMS)* Feedback and validation on project deliverables to ensure they align with ISO 27001 On-site mini assignments and attendance at meetings as required Providing internal mock audits prior to certification The provision of advice based on previous successful ISO 27001 certification assignments Responding to ad-hoc email and telephone requests to provide guidance and advice *ISMS are a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. Page 4 of 9

Scope of the service Gap analysis This involves assessing current practice and identifying the gaps and areas of weakness that require attention in order to achieve ISO27001 compliance / certification. Risk assessment for ISO 27001 starts with identifying all the information assets within the environment to be certified. Each asset is assessed to determine the worst case impact of a loss of confidentiality. This prioritises the assets to focus the next step of the risk assessment. Risk assessment Threats and vulnerabilities associated with the assets are then identified and documented. The prioritisation form the previous step provides both an order to address the risks in and also provides a measure of the impact of each threat or vulnerability. The probability each threats or vulnerabilities materialising is then established to provide an overall risk score (impact and probability combined). Risk mitigation Once risk assessment is complete risks that are above the organisational tolerances level are then reviewed to establish controls to mitigate the possibility of a risk materialising as an issue. Policy development Organisation policies are a crucial tool for protecting data and systems. LHIS offers a review and development service. This typically includes the following stages: Thorough review of current policies and procedures Identification of gaps or weaknesses. Documentation of remedial action to align with best practice. Reporting of the review process. Staff awareness training LHIS is able to offer staff training to increase organisational understanding and awareness of the ISO 27001 standard. The workshops can be tailored to the audience and typically might cover the following areas: Best Practice. Regulations and Legalities. Page 5 of 9

Management of Incidents. Risks assessment and management. Security trends. Case studies. Management responsibility. Management briefings Similar to the staff training but aimed at different audience. This service offers briefings at a senior or executive level to provide an outline of the ISO 27001 standard and its associated benefits to an organisation. Statement of Applicability SOA Also known as an SOA the statement of applicability is a document which identifies the controls chosen for an environment. The document the goes on to explain how and why they are appropriate. Derived from the risk assessment and mitigation plans. The SOA relates back to the original risks to demonstrate that mitigations are in place to facilitate ISO 27001 compliance. LHIS is able to assist in the selection of controls. Routine internal audits of key controls As part of ISO27001 accreditation, there is a requirement to conduct routine internal audits of the key controls. Many organisations have a phased programme of audits over two/three years that cover all controls. LHIS can provide this service as a discrete entity in support of an organisation that has already acquired the accreditation. LHIS performs a ISO 27001 mock audit which provides the following benefits: Pre-certification audits to ISO27001 Provides a chance to establish any areas of weakness prior to the full audit. Allows the organisation to understand the audit processes for real. Ensure staff understand what is required in terms of documentation and evidence to support auditing. Page 6 of 9

5. Pre ISO 27001 LHIS has passed its Cyber essentials and IASME certification which is aimed at SME s. The Cyber Essentials scheme has been set up by the UK Government to help any organisation attain a level of security that should reduce the risk of a malicious attack from the internet. Whilst IASME is essentially a subset or bite sized version of the ISO/IEC 27001 standard aimed primarily at SMEs. These certifications are effective first steps towards demonstrating organisational cyber security and can form part of the journey to ISO/IEC 27001 certification. LHIS is working towards becoming qualified assessors for both schemes which will mean that LHIS will be authorised to carry out Cyber Essentials and IASME assessments nationwide to support SME customer organisations with their Security and Information Assurance Frameworks. 6. Our people Our ICT Security personnel have a range of qualifications including: ISO 27001 Lead Auditor Certified Forensic Investigation Analyst - Distinction NHS Local Security Management Specialist ISEB Information Security Management Distinction EC-Council Computer Hacking Forensic Investigator Prince 2 Foundation Tiger Scheme Qualified Security Team Certified Information Systems Auditor EC-Council Certified Ethical Hacker Microsoft Certified Professional Page 7 of 9

Certified Security Testing Professional Degrees in Computer Science Many are also members of professional bodies such as The British Computer Society (BCS). 7. Ordering and invoicing process Call us on 0116 295 3500 option 7 Email: crmteam@leics-his.nhs.uk LHIS will provide assistance with completing the G-Cloud call-off contract, which will include an order form. 8. Further Information If you have any queries, questions, wish to request further information please contact (quoting G-Cloud V enquiry ) as follows crmteam@leics-his.nhs.uk 0116 295 3500 option 7 More LHIS information can also be found at: http://www.leics-his.nhs.uk https://www.facebook.com/leicshis https://twitter.com/leicshis http://www.linkedin.com/company/leicestershire-health-informatics-service---nhs Page 8 of 9

Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information