Information Security Management
System
ISMS Mandatory Clauses
Integrated Research Campus
Information Security Management System
Page 1 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Document Information
Reference ISMS 27001
Category Information Security Management System (ISMS) Documents
Title ISMS Mandatory Clauses
Purpose Defining the mandatory clauses that make up the ISO27001
Owner Information Governance Management Group (IGMG)
Author Charles Hindmarsh
Compliance ISO 27001
Review plan Annually
Related Documents University of Leeds Information Protection Policy A.5.0 Information security policies A.6.0 Organisation of information security A.7.0 Human resources security A.8.0 Asset management A.9.0 Access control A.10.0 Cryptography Controls A.11.0 Physical and environmental security A.12.0 Operations security A.13.0 Communications security A.14.0 Systems acquisition, development and maintenance A.15.0 Supplier Relationships A.16.0 Information security incident management A.17.0 Information security aspects of business continuity management A.18.0 Compliance
Version History
Version Date Update by Change description
Sign off Date
1.0 27/06/2016 Samantha Crossfield / David Batty
Initial version Barry Haynes (Chair of IGMG)
20/10/2016
2.0 28/02/2019 Charles Hindmarsh
New format of ISMS
Andy Pellow (Chair of IGMG)
22/03/2019
2.1 21/09/2019 Charles Hindmarsh
Updated 1.2, 1.4, 4.1-4.4, 5.2, 6.2, 7.3, 7.4, 8.1, 8.2.2, 10.2,
Andy Pellow (Chair of IGMG)
24/09/2019
Information Security Management System
Page 2 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Contents
0.1 Introduction ..................................................................................... 5
Purpose................................................................................................................... 5
Applicability ............................................................................................................. 5
The IRC Information Security Management System ............................................... 5
1.0 Scope ............................................................................................... 6
Figure 1 .................................................................................................. 6
1.1 Zones ................................................................................................................ 7
1.2 Infrastructure ..................................................................................................... 7
1.3 People ............................................................................................................... 8
1.4 Services ............................................................................................................ 8
1.5 Information Assets ............................................................................................ 8
1.6 Scope Interplay ................................................................................................. 8
2.0 Normative References .................................................................... 9
3.0 Terms and Definitions .................................................................... 9
4.0 Context of the Organisation ........................................................... 9
4.1 Understanding the Organisation and its Context ............................................... 9
4.2 The Needs and Expectations of Interested Parties ......................................... 10
4.3 Determining the Scope of the Information Security Management System ...... 10
4.4 Information Security Management System ..................................................... 11
5.0 Leadership ..................................................................................... 12
5.1 Leadership and Commitment .......................................................................... 12
5.2 Policy .............................................................................................................. 12
5.3 Organisational Roles, Responsibilities and Authorities ................................... 13
5.3.1 Information Governance Management Group Chair ................................. 13
5.3.2 The Data Protection Officer (DPO) ........................................................... 13
5.3.3 Information Governance Manager (IGM) .................................................. 14
5.3.4 Accountability and lines of reporting ......................................................... 14
6.0 Planning......................................................................................... 14
6.1 Actions to Address Risks and Opportunities ................................................... 15
6.2 Information Security Objectives ...................................................................... 15
Information Security Management System
Page 3 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
7.0 Support .......................................................................................... 17
7.1 Resources ....................................................................................................... 17
7.2 Competence .................................................................................................... 17
7.3 Awareness ...................................................................................................... 17
7.4 Communication ............................................................................................... 18
7.4.1 Communication Recipients and Triggers .................................................. 18
7.4.2 Communication Scope .............................................................................. 18
7.4.3 Communication Responsibilities ............................................................... 18
7.4.4 Communication Channels ......................................................................... 19
7.4.5 Audience ................................................................................................... 19
7.4.6 Communication actions ............................................................................ 20
7.5 Documented Information ................................................................................. 20
7.5.1 General ..................................................................................................... 20
7.5.2 Creating and Updating .............................................................................. 20
7.5.3 Control of Documented Information .......................................................... 21
8.0 Operation ....................................................................................... 22
8.1 Operational Planning and Control ................................................................... 22
8.2 Information Security Risk Assessment ............................................................ 22
8.2.1 Impact Definition: ...................................................................................... 23
8.2.2 Risk assessment scope ............................................................................ 23
8.2.3 Risk log ..................................................................................................... 24
8.2.4 Frequency of risk assessment .................................................................. 24
8.3 Information Security Risk Treatment ............................................................... 24
8.3.1 Applicability ............................................................................................... 24
8.3.2 Risk treatment ........................................................................................... 24
8.3.3 Risk Treatment Options ............................................................................ 26
8.3.4 Residual risk ............................................................................................. 26
8.3.5 Risk ownership and review ....................................................................... 26
9.0 Performance Evaluation ............................................................... 26
9.1. Monitoring, Measurement Analysis and Evaluation ....................................... 26
9.2 Internal Audit ................................................................................................... 27
9.3 Management Reviews..................................................................................... 27
9.3.1 Review Initiation ........................................................................................ 28
9.3.2 Applicability ............................................................................................... 28
9.3.3 Audit Schedule .......................................................................................... 28
Information Security Management System
Page 4 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
10.0 Improvement ............................................................................... 29
10.1 Non-Conformity and Corrective Action .......................................................... 29
10.1.1 Reporting ................................................................................................ 29
10.1.2 Recording ............................................................................................... 29
10.1.3 Corrective Action .................................................................................... 29
10.2 Continual Improvement ................................................................................. 29
Information Security Management System
Page 5 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
0.1 Introduction
Purpose
The Integrated Research Campus (IRC) is a University of Leeds (UoL) IT provision.
The IRC provides secure technical infrastructure and services for research data
handling, analytics, application processing and development. This document
contains the mandatory clauses for the IRC Information Security Management
System (ISMS) and define the goals, context and scope of the IRC ISMS as well as
the ISMS objectives and requirements for information security.
Applicability
The ISMS applies to all users and providers of IRC services and infrastructure. All
users must comply with the ISMS policies. The essential requirements are released
through frequently used documents such as the IRC user agreement, the Research
Portal (Intranet), work instructions, project proposals, data management plans and
risk assessments. This document will be used by those staff who are responsible for
maintaining, reviewing and improving the ISMS.
The IRC Information Security Management System
The ISMS sets information security (IS) as a key element of the mission statement of
the IRC. The ISMS is designed to protect IRC reputation and capacity by maximising
IS throughout the data lifecycle. The ISMS defines the appropriate management,
control and treatment of risks to preserve the confidentiality, integrity and availability
of information.
An aim for the ISMS is recertification to ISO / IEC 27001:2013 and the NHS Data
Security Protection Toolkit. The certifications serve to externally validate that IS best
practice has been adopted. Previously Version 14 of the NHS IG Toolkit was
reviewed by NHS Digital (21 March 2017). Accredited certification to ISO
27001:2013 was attained on 15 May 2017 (Certification number 15331-ISN-001).
Information Security Management System
Page 6 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
1.0 Scope
The ISMS scope encapsulates the space that meets the organisation’s needs for
secure data handling. This corresponds to the reach of the IRC secure research
environment and the services conducted therein, regardless of location, provider or
user. The IRC’s Statement of Applicability details the controls that have been
selected to treat identified risks, and provides a justification for the inclusion of each
of the 114 controls listed in Annex A of the ISO 27001:2013 Standard. Figure 1.0.1
summarises the scope and the governance structure that the IRC resides in.
The ISMS objectives apply to all in-scope elements. There is mandatory compliance
with the ISMS within this scope. Exceptions must be handled as set out in 10.1 Non
Conformity and Corrective Actions.
Figure 1.0.1: Representation of the IRC Services (yellow), Governance (blue)
and Processes (green)
Figure 1.0.1 shows the ISMS scope and how it fits within the University and wider
legislation and standards. The ISMS scope is defined by the blue dashed line.
Information Security Management System
Page 7 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
1.1 Zones
IRC zones are numbered 1-5 in Figure 1.0.1 :
1. Gateway – the gateway zone between the other IRC zones and the external
environment. Data passes through here in order to move between zones or to
enter or leave the IRC.
2. Data Services – core data services are provided from this zone to users,
including access, provisioning, management and support services.
3. Safe Rooms - secure and managed rooms providing monitored access to data.
4. Virtual Research Environment (VRE) – firewalled virtual machines that are set
up for users with appropriate software, applications and data access. VREs are
remotely accessed.
5. IRC Data Storage – the zone in which research data is securely stored.
1.2 Infrastructure
1.2.1 Infrastructure in scope in Figure 1.0.1 :
1. Infrastructure in the Gateway (Zone 1) includes:
a. Interfaces, such as a secure web server for uploading data.
b. External facilities used in providing secure data services where they are
brought in scope by either :
i. Formal agreement or
ii. ‘Take-over’ of facilities as set out in A.11.2.6 security of offsite
equipment policy.
2. Infrastructure in the Data Services (Zone 2).
3. Infrastructure in the Safe Rooms (Zone 3), including thin client computers.
4. Infrastructure in the VRE (Zone 4), including the software and applications in
each virtual machine.
5. Infrastructure in the Data Storage Zone, used to deliver storage services
6. Networking / Telephony Systems supporting Zones 1 to 5.
The above zones will be referred to in all ISMS documentation as the “IRC
infrastructure”.
1.2.2 Infrastructure out of scope:
1. Systems that receive data from the IRC, such as external High Performance
Computing (HPC), web applications or the “Visualisation Suite” for graphics-
intense work.
2. Devices or services used to capture data relayed to IRC infrastructure and
includes scanners, gene sequencers, websites and applications.
3. Devices used to access the IRC infrastructure (including desktops, laptops,
tablets and smart phones) and their locations.
Information Security Management System
Page 8 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
1.3 People
1.3.1 People in scope:
1. Members of the DST (based in Zone 2).
2. Users such as researchers, clinicians and analysts while they are using a) the
IRC infrastructure or b) an application that calls upon the IRC infrastructure. A
user agreement must define the elements of the ISMS that pertain to the user.
3. IT and support staff and contractors working on the IRC infrastructure. Contracts,
service and operating level agreements must accord with the ISMS.
4. Suppliers and data providers who enter a contractual agreement with the IRC.
1.3.2 People out of scope:
Users, IT and support staff, Human Resources (HR) and data providers while they
are not interacting with IRC infrastructure.
1.4 Services
1.4.1 Services in scope:
Services delivered on IRC infrastructure can be summarised as data capture,
process, access and storage services, including:
1. Checking and loading of data to / from the secure file transfer system, and
ensuring the transfer complies with any Data Sharing (DSA) or Data
Processing Agreements (DPA) and or Data Management Plans.
2. Development and destruction of virtual machines and access rights.
3. Data transformation, linkage and management.
4. Auditing of the use of IRC infrastructure.
5. Servers and PCs that reside on the IRC infrastructure.
6. Data held in storage or in suspension within the IRC.
1.5 Information Assets
1.5.1 Information assets in scope:
Data held on IRC infrastructure – from entry to exit via the IRC Gateway or until
deletion.
1.5.2 Information out of scope:
Data held beyond the scope of the IRC infrastructure.
1.6 Scope Interplay
Projects usually involve movement of data in and out of scope of the ISMS and
transfer must be handled according to the Information Transfer policy (A13.2).
Information Security Management System
Page 9 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
2.0 Normative References
1. NHS Digital Data Security and Protection Toolkit https://www.dsptoolkit.nhs.uk/
2. ISO/IEC 27001:2013 - http://www.iso.org/iso/home/standards/management-
3. General Data Protection Regulation - https://gdpr-info.eu/
4. Cyber Essentials - https://www.cyberessentials.ncsc.gov.uk/
5. The Information Commissioner’s Office - https://ico.org.uk
3.0 Terms and Definitions
For the purpose of the ISMS, the following definitions have been used:
Term Description
Information Information includes, but is not limited to, any data printed or written on paper, stored electronically, transmitted by post or by electronic means, stored on tape or video, or spoken in conversation.
Confidentiality Ensuring that information is accessible only by authorised individuals.
Integrity Safeguarding the accuracy and completeness of information and ensuring data is not modified without proper authorisation.
Availability Ensuring that authorised users have access to the relevant information whenever required.
IGMG Information Governance Management Group
LIDA Leeds Institute for Data Analytics
SMT Senior Management Team
ICO Information Commissioner’s Office
PSD Patient Specific Directions
HRC Health Research Council
MRC Medical Research Council
IRC Integrated Research Campus
DST Data Services Team (Part of IT)
IG Information Governance
VRE Virtual Research Environment (a secure server)
DPA Data Processing Agreement
DSA Data Sharing Agreement
4.0 Context of the Organisation
4.1 Understanding the Organisation and its Context
The University provides the IRC, which is secure storage and virtual computing
power for to processing confidential and highly confidential data. The IRC is
segregated from the rest of the University’s computing services and from the
internet.
LIDA and other areas within the University draws together research groups and data
scientists with external partners to undertake data-intensive research within the IRC.
Information Security Management System
Page 10 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Data being captured includes geographic, socio-economic, consumer, social, patient
and clinical information.
The nature and sensitivity of the data that is processed within the IRC means that
the security systems and policies and data processing actives must be secure and
robust.
4.2 The Needs and Expectations of Interested Parties
Increasing data diversity raises differing requirements for data handling in terms of
information security, governance and data protection. Our interested parties depend
on the University to deliver secure data handling services and practices that comply
with legislation and appropriate practice governance standards. The ISMS and our
practices can be scrutinised by their auditors on request.
Our interested parties include, but not limited to:
1. Information Governance Management Group (IGMG) 2. Leeds Institute for Data Analytics (LIDA) 3. Research Funders 4. Data Providers 5. Academics 6. UoL Audit & Risk Committee 7. UoL Protection Group 8. UoL Security Group 9. UoL Data Services Team (DST) 10. Information Commissioner’s Office (ICO) 11. Health Research Council (HRA) 12. Users of the IRC 13. Media 14. UoL IT Services 15. Alcumus ISOQAR 16. NHS Digital (NHSD)
17. Public Health England
Details of the IRC’s communication with interested parties can be found in Clause
7.4.
4.3 Determining the Scope of the Information Security Management
System
The IRC is a UoL IT platform and is both shaped by and contributes to the UoL’s
strategy, research objectives, operational processes and management structures.
The IRC provides Leeds Institute of Data Analytics with infrastructure, training and
data services required for secure data handling in research
Information Security Management System
Page 11 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
The IRC systems, services and operations (See Figure 1.0.1) are designed to
prevent and minimise security incidents to avoid unauthorised disclosure that could
lead to commercial, personal or reputational damage. These include:
1. Data capture, review and release (gateway) services that are operated by the
DST.
2. Data storage facilities that are segregated from other University campus IT
systems. See Access to Networks and Network Services (A.9.1.2).
3. Data processing servers and services including data cleansing, transformation,
linkage, de-identification, backup and destruction.
4. Multi Factor Authenticated access to data in a VRE that is regulated and
monitored.
5. Secure File Transfer systems that are controlled by the DST.
There are a number of relevant internal and external issues, which may impact on
the IRC’s ability to meet the objectives of the ISMS. These include:
Internal External
Physical Security: Protection against theft from within the UoL.
Physical Security: Protection against theft from outside the UoL.
Culture: A commitment to information security amongst staff and researchers
Client/Customer Requirements: Protection of their information as specified within the Data Sharing Agreements.
Staff: Retention of key, competent employees to fulfil ISMS responsibilities
Legislative or Regulatory Change: Ability to adapt and react swiftly to change and adopt new standards and guidelines
Acceptable Use: Adherence by staff and researchers to the terms of the IRC agreement
Environmental Risks: Protection against fire, flood, or other disasters which could affect business continuity
Organisation Structure: Ability to adapt and react swiftly to change and adopt new standards and guidelines
Interruption to Utilities/Communications: Contingency in the event of power or telecoms failure
Risk Management: Ability to manage risk to an acceptable level, taking into account cost and the expectations of interested parties
Risk Management: Ability to manage risk to an acceptable level, taking into account cost and the expectations of clients and authorities
4.4 Information Security Management System
The IRC’s ISO27001:2013 Information Security Management System is being
implemented and continuously improved. The ISMS contains 14 security control
documents that collectively contain a total of 35 security categories. A set of 15
Information Security Management System
Page 12 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
documents makes up the ISMS that are named in Policies for Information Security
(A.5.1.1).
Where additional operational detail is required, these can be can be found in
separate work instructions as per the Documented Operating Procedures Policy
(A.12.1.1).
The ISMS is regularly audited and all findings, risks, incidents and vulnerabilities are
recorded along with recommended improvement plans for oversight by the IGMG.
5.0 Leadership
5.1 Leadership and Commitment
The IGMG is responsible for ensuring all information governance risks are
appropriately managed and monitored through the IRC ISMS. The IGMG comprises
of representatives from:
1. The UoL Information Governance Group.
2. The UoL IT Services.
3. The UoL IT Assurance Team.
4. The UoL Legal Affairs Team.
5. Partner representatives from Faculties, Centres and Users.
The UoL representatives bring the expertise to ensure that IGMG leads in
accordance with industry standards, legal requirements and UoL objectives. See 5.3
for Organisational Roles, Responsibilities and Authorities.
5.2 Policy
IGMG ensures the policies are relevant to the IRC, the University and that they
comply with the requirements of our data providers and interested parties.
The policy objectives (See Table 6.2.1: IS Objectives) of the ISMS are as follows:
1. Information is protected from a loss or breach, of confidentiality, integrity
and availability.
2. Information Security (IS) risks are identified, assessed and managed
through the risk assessment and treatment policy.
3. Policies and controls exist to mitigate against the risks identified and their
effectiveness is measured and reviewed.
4. Incidents are recorded and used to drive improvement.
5. Current regulatory and legislative requirements are met.
6. Training in all elements of the IS Management System is available to all
users, as relevant to their roles.
Information Security Management System
Page 13 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
7. The ISMS complies with the ISO 27001:2013 and the NHS Data
Protection and Security Toolkit and is regularly reviewed and continually
improved.
The policies are reviewed at least annually or following a significant change to
ensure there is ongoing continual improvement. The policies are shared and
communicated with all researchers and interested parties as needed.
5.3 Organisational Roles, Responsibilities and Authorities
Members of IGMG fulfil the roles defined in Figure 5.3.0, and have specific
responsibilities for ensuring that the ISMS is in place and policies are followed. Other
members provide advice through group meetings and proportionate reviews as
required.
Figure 5.3.0 Three key roles in the IG Management Group
5.3.1 Information Governance Management Group Chair The IGMG Chair is accountable for the IRC IG structure and its practice and ensures
that the ISMS is fit for purpose. They have overall responsibility for ensuring IS is in
line with industry best practice and for directing continual improvement in the ISMS.
5.3.2 The Data Protection Officer (DPO) The DPO brings expert knowledge of data protection law, standards and practices.
They ensure that the ISMS contains relevant policies for maintaining and auditing
data privacy.
High-level responsibility for IS across the IRC, through its infrastructure, processes and staff. Responsibility for ethical-legal policies and training that ensure appropriate data access, maintain confidentiality and data integrity, and information governance Responsibility for the development and implementation of policies regarding IS among staff and infrastructure, including monitoring, assessment and training
IG Management Group Chair
IRC Data Protection
Officer
IRC Information Governance
Manager
Information Security Management System
Page 14 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
5.3.3 Information Governance Manager (IGM) The IGM brings expert knowledge of ISO27001, the NHS Data Protection and
Security Toolkit, the requirements of sponsors and third parties that IRC is working
with. The IGM has knowledge of the practices and policies of IRC and ensures
audits are carried out to fulfil the ISMS requirements.
The IGM guides the IGMG in reviewing the ISMS to ensure the ongoing protection of
information assets, technologies and data privacy.
5.3.4 Accountability and lines of reporting The UoL IT Security Group and Information Protection Group
are responsible for ensuring the protection of information
assets within the University. The UoL Senior Information Risk
Owner (SIRO) is a member. The groups receive reports from
the IGMG chair regarding IRC activities, incidents and ISMS
reviews in relation to IT security and information protection.
In the context of the UoL Information Governance structure, the
IGMG is responsible for setting, maintaining and overseeing
the IRC ISMS.
The DST is accountable for delivery of the ISMS, under the
oversight of the IGMG. The team maintains an inventory of
information and assets associated with information and its
processing that are on the IRC. The team is accountable for
processing the ownership, use and return of these assets. The
DST ensure Information Security is assessed throughout
project management for all IRC projects.
Employees, users and contractors must adhere to the ISMS.
6.0 Planning
A project and project risk assessment work instruction defines the procedures for
identifying and classifying information risk for projects that propose to use IRC
resources. The mandatory clauses and supporting controls set the criteria against
which risk is considered and the risk acceptance level (Clause 8.2). The ISMS
contains a standardised approach for selecting appropriate controls for risk
management that also include when and how the assessments are performed and
reviewed. The ISMS does not cover non-technical or health and safety risk
assessment processes, which are set at UoL faculty level.
Information Security Management System
Page 15 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
6.1 Actions to Address Risks and Opportunities
Clause 8.2 defines when and how assessments are performed, treated, reviewed
and sets a standardised approach for selecting appropriate controls for risk
management.
6.2 Information Security Objectives
The IRC objectives are set out in Table 6.2.1: IS Objectives and summarised here:
1. Information is protected from a loss or breach of confidentiality, integrity and
availability.
2. IS risks are identified, assessed and managed through the IRC Risk Assessment
policy and IRC Risk Treatment policy.
3. Policies and controls exist to mitigate against the risks identified and their
effectiveness is measured and reviewed.
4. Current regulatory and legislative requirements are met.
5. Training in all elements of the IS Management System is available to all
employees and researchers, as relevant to their roles.
6. The ISMS complies with the ISO 27001:2013 standard and is regularly reviewed
and continually improved.
7. The ISMS supports compliance with the NHS Data Security and Protection
Toolkit.
The IGMG reviews these objectives at least annually to ensure they remain current
and valid.
To measure these objectives, Key Performance Indicators (KPI) with targets have
been created and are reviewed at least annually by the IGMG. The Information
Governance Manager will ensure that the data is captured and made available at
quarterly IGMG meetings.
Information Security Management System
Page 16 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Table 6.2.1: IS Objectives
ISMS Objectives KPIs Target
1. Information is protected from a loss, or breach, of confidentiality, integrity and availability.
1.1 Number of 'High' incidents reported and recorded on the Incident Log
None over 1 month old that are neither accepted nor being addressed
1.2 Number of unaddressed CRITICAL & HIGH findings reported during penetration testing (shown as average per test)
None over 1 month old that are neither accepted nor being addressed
2. IS risks are identified, assessed and managed through the IRC Risk Assessment and Treatment processes
2.1 Number of Critical & High risks as percentage of total risks
0% over 6 months old that are neither accepted nor being addressed
2.2 Effectiveness of Risk Treatment Plans (percentage reduction in risk score total after treatment plan implemented)
100% of entries to have Treatment Plan & Review Date populated; Accept Date is no later than Review Date.
3. ISMS policies and controls exist to mitigate against the non-conformities identified and their effectiveness is measured and reviewed.
3.1 Number of internal ISMS audit findings that have not been addressed
Less than 8 over 6 months old that are neither accepted nor being addressed
4. Current regulatory and legislative requirements are met.
4.1 Number of penalties enforced by any regulatory or governmental body
No Penalties
5. Training in all elements of the IRC IS Management System is available to all employees and researchers as relevant to their roles
5.1 IS-related training is delivered to all employees and researchers which is appropriate to their roles
Zero gaps or overdue training on the training register.
5.2 Number of issues on IS Incident Log with a training-related root cause, as percentage of all issues Less than 10%
6. The ISMS complies with the ISO 27001:2013 standard and is regularly reviewed and continuously improved
6.0 Number of non-conformities identified by a certification auditor in the annual audit. Baseline figure
6.1 Number of non-conformities identified by certification auditor that have not been addressed Less than 2
6.2 Evidence of findings and observations from audits being recorded and progressed via an NCR Log
100% of entries to have Preventive Action & Review Date populated; Close Date is no later than Review Date.
Information Security Management System
Page 17 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
7.0 Support
7.1 Resources
Refer to the Information Security Roles policy (A6.1.1) to view the resources
available for delivering the ISMS.
7.2 Competence
The minimum level of IS-related competence required for the specific roles listed
above is shown in Table 7.2.1.
Table 7.2.1 IS competences for specific roles
Role Minimum Competence IG Management Group Chair Understanding of the requirements of ISO27001
UoL Senior Information Risk Owner (SIRO)
Understanding of the requirements of ISO27001
Understanding of the requirements of the NHS Data Security and Protection Toolkit
Understanding of the General Data Protection Regulation (GDPR)
IRC Information Governance Manager
Understanding of the requirements of ISO27001
Understanding of the requirements of the NHS Data Security and Protection Toolkit
Understanding of the General Data Protection Regulation (GDPR)and other data protection laws
UoL Data Protection Officer
Understanding of all legislation governing data protection and information handling
Awareness of the requirements of ISO27001
Awareness of the requirements of the NHS Data Security and Protection Toolkit
Data services team
Understanding of the General Data Protection Regulation (GDPR)
Understanding of the requirements of ISO27001
Ability to use the tools and techniques to protect information
Users and Researchers
To have undertaken UoL IS essentials training
To have undertaken UoL IS advanced training
To have completed other risk based training as appropriate
7.3 Awareness
For the ISMS to be effective the ISMS and good IS practices must be communicated
and understood by all those to whom it is relevant. Where documents apply to all
IRC users these are:
1. Published on the Researcher Portal (Intranet).
2. Made available at induction.
3. Published as appropriate.
Information Security Management System
Page 18 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
4. Reminded through annual IS compliance refresher notices.
5. Communicated by email or the IRC portal as cyber threats/risks are
identified by the UoL Assurance group or by external groups.
Everyone has a responsibility for being appropriately competent in Information
Governance. Refer to IS Awareness, Education and Training (A7.2.2).
7.4 Communication
This policy defines the controls for formal communications regarding IS that relates
to elements within the scope of the IRC ISMS. The purpose is to ensure that relevant
issues of IS, (in particular new policies or significant changes) are communicated to
relevant individuals with clarity and consistency to ensure that people have the
necessary capacity to carry out their responsibilities for IS.
7.4.1 Communication Recipients and Triggers IS management communications are provided to those who are directly affected by
the matter being communicated or with responsibilities for any affected procedures.
7.4.2 Communication Scope IS management communications of new and updated policies should be
communicated in a manner that is clear and comprehensive and may include some
of the following:
1. The purpose or objective of the policy.
2. Description of the policy as it relates to the recipient.
3. Responsibilities for implementing and managing the policy.
4. Feasible timeframe for implementation.
5. Review plan for the policy.
6. Opportunity for queries and comments.
However, information must not be disseminated where doing so may facilitate a
compromise to IS.
7.4.3 Communication Responsibilities Effective communications about IS are assigned to the following roles:
7.4.3.1 The Information Governance Management Group (IGMG):
1. To communicate the importance of effective IS management and of
conforming to ISMS requirements, and the consequences of not doing so.
2. To review communication policies for making information available to
relevant people in a timely manner and via appropriate channels.
3. To ensure the DST has the relevant information.
4. To maintain open channels of two-way communication and to listen to
feedback and comments from researchers.
Information Security Management System
Page 19 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
7.4.3.2 The IRC Information Governance Manager:
1. To maintain the ISMS.
2. To carry out internal audits of policies processes and systems relating to
the ISMS or to the NHS Data Security and Protection Toolkit.
3. To ensure policies, procedures are updated and communicated to those
who need to know.
4. To maintain risk, non-conformity, incident and vulnerability registers.
5. To communicate risks and issues to the LIDA SMT and the IGMG that
could undermine IS of the IRC.
6. To communicate good security practices to IRC users.
7. To monitor and record progress against outstanding incidents and actions,
vulnerabilities, risk treatments or security improvements.
7.4.3.3 The IRC Data Services Manager:
1. To communicate regularly with their team, preferably face to face, to ensure
information relating to the ISMS is available, understood and up to date.
2. To ensure they and their team are maintaining ISMS records.
3. To listen to feedback from their team and users and to keep the IGMG
informed.
4. To communicate the outcomes of any IRC Risk Assessment or Risk
Treatment Plan.
7.4.3.4 The DST:
1. To ensure they are informed and have access to information in order to be
as effective as possible in their role.
2. To ensure they are maintaining good communication practice as set out in
this document.
3. To keep line managers, colleagues and users aware of up to date
information.
4. To maintain user, project, information, data sharing agreements and
physical and/or virtual assets inventories.
7.4.3.5 IRC Users:
1. To keep the DST informed about their needs for data handling.
2. To address any IS requirements raised with them by the DST and to
communicate the outcome (for example, by completing any IS training).
7.4.4 Communication Channels The channel to be selected for communication is that which will most speedily and
comprehensibly convey the relevant information.
7.4.5 Audience The audience will influence the channel to be chosen. Consider the following:
Information Security Management System
Page 20 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
1. Location – a shared office may restrict what can be communicated. A
remote user may limit the channels available for use.
2. Role – a person’s role and relevant expertise may influence whether a
channel more conducive to interaction and feedback is appropriate.
3. Impact – directive conversation, training or detailed documentation may be
more suitable than site notifications for people whose daily working is highly
affected by the issue.
7.4.6 Communication actions Where actions are triggered as a result of IS management communication, these
should be followed up with a formal written notice of agreed action, and completion
date. Where actions arise from communication between DST staff, no formal notice
is required.
7.5 Documented Information
7.5.1 General Documents must be developed, maintained and archived in the ISMS folders and
standardised, as set out in the clause on Document Format (7.5.2)
7.5.2 Creating and Updating A document template is used to create standardised policies and procedures that
can be accurately cited. The documents contain the following:
Section Information Required
Front page IRC and UoL header
Document title, version number and date of version sign-off
Document information page
Header: IRC logo and “Information Security Management” (Arial, size 10)
Footer: Version number, published date and classification “Protect”
Document information: a. Reference: short name for referencing the document b. Category that the document is a part of c. Title d. Purpose e. Owner f. Author e. Compliance requirement f. Review Plan g. Related Documents.
Version History must include the version number, the updater, a change description, the sign-off name, role and the date of approval.
Footer
Page Number
Version
Title
Published date
Classification ( Normally Protect)
Information Security Management System
Page 21 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Main Document
Header: IRC logo and ‘Information Security Management’ (Arial, size 10)
10. Footer: page and version number and date of version sign-off (Arial, size 10)
Numbered sections in the IRC Header format
Purpose section: introduces the scope and objective of the document
Applicability section: describes who the document relates to
Acronyms are fully written prior to first use, excluding first use within a document title or header
IRC and other UoL documents are linked to where referenced
External references are quoted with a superscript numeric (e.g. 1) and are listed in footnotes
The University of Leeds is written in the first instance and subsequently referred to as UoL
7.5.3 Control of Documented Information This applies to policies and work instructions:
1. New unapproved policies or work instructions start with version 0.
2. The first approved document will begin with version 1.0.
3. New proposals, data management plans and risk assessments from
researchers will always start at Version 1.0.
4. To edit an existing document, open it and save it as the same file name
with the next version number at the end of the name. For example “work
instruction-v1.1.docx”.
5. On completion the version number, date, change makers name and
change description is added to the version control table (see the example
table below).
6. For work instructions another member of the team must test the
instruction.
7. The IGM or the DST Manager will approve work instructions and the date
of approval must be recorded. Changes to policies are drafted by the IGM
or DST Manager and forwarded to the IGMG for approval.
8. Following approval the word document must be saved as a PDF to
prevent change.
9. The old work instruction or policy should be moved into the archive folder.
7.5.4 Document publication
PDFs of the current ISMS documents are disseminated freely. These publications
are made available to all users, staff via the intranet and data providers on request..
The read-only PDF versions of ISMS policies can be printed, copied or linked to as
required.
Documentation feedback is escalated to the IGMG and forwarded to relevant
document Author(s).
Information Security Management System
Page 22 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
8.0 Operation
8.1 Operational Planning and Control
Security processes are planned and conducted through processes agreed by IGMG,
which oversees the operations within the IRC and approves amendments to its
policies.
Planned maintenance schedules ensures there is a consistent and regular
maintenance window for service and system updates.
Control is maintained through the use of work instructions that provides operational
standards for the DST to action.
Change management ensures the stability of systems by the identification and
mitigation of associated implementation risks, minimisation of disruption to research
operations caused by system outages, and consequently improves upon the
services and service levels provided to the organisation. The IRC has adopted the
UoL standard for change management which is referenced in the IRC Change
Management Policy (A.12.1.2).
8.2 Information Security Risk Assessment
An IRC risk assessment considers all elements within the ISMS scope that handle
information and all factors that contribute or pose a risk to IS.
Data confidentiality, integrity and availability are the criteria against which risk is
evaluated. The IRC must manage risk so as to remain compliant with relevant
legislation and provide assurance that risks related to personal information are
managed according to internal and external standards. The assessment process and
justification for the application of risk controls will be captured in a risk log and
retained for scrutiny. Separate data protection risk assessments are carried out for
each project. Refer to the Information Security in Project Management Policy
(A.6.1.5). ISMS risks are calculated by the equation Risk = Likelihood x Impact:
Scale Likelihood Narrative Example
4 A risk that is almost certainly going to
arise (>90%)
Changes to the value of sterling affecting
buying and selling of goods abroad.
3 A risk that is likely to arise (50-90%) Increased costs of research
2 A possible risk that could happen (10-
50%) Major power cut on campus
1 A risk that is unlikely to occur (<10%) Terrorist attack on the UoL
Information Security Management System
Page 23 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
8.2.1 Impact Definition:
Scale Operations / Business Continuity
Compliance Reputation Financial loss or cost
4 Critical
Severe impact on all services University-wide or in the IRC
Critical breach leading to closure of the University or IRC service
Long term negative publicity in national and international media
> 5% of turnover
3 Major
Severe impact on some (but not all) services delivered by the University (or by the IRC)
Major breach leading to a suspension or partial closure of the IRC
Long term negative publicity in national media or short-term publicity in national and international media.
2-5% of turnover
2 Moderate
Significant impact on services
Significant breach leading to reprimand or sanctions
Short term negative publicity in regional media
1-2% of turnover
1 Minor
Minor impact on services
Minor only, no reprimand or sanction (save improvement notice)
No bad press < 1 % of Turnover
8.2.2 Risk assessment scope The scope includes anything that could affect IRC systems that handle sensitive
information which may include, but is not limited to:
1. Site, suppliers and organisational structure.
2. Hardware, software and networks and their supporting infrastructure.
3. Business processes and activities.
4. Data, analytical outputs and information.
5. ISMS non-conformity, vulnerability and weakness.
5. Legislation.
6. Personnel.
7. DSA’s, and other 3rd party contracts or licenses.
A Separate risk assessment process is carried out for each research project based
upon its data handling requirements and following the Project_Risk_Assessment
work instruction. The assessment will influence the controls that are needed to de-
Information Security Management System
Page 24 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
identify personal data and any conditions set by a data sharing contract. Refer to the
Information Security During Project Management Policy (A.6.1.5).
8.2.3 Risk log If there is risk of harm to individuals, a risk of breach of contract or where a risk could
hinder the operation of a project, the IRC or the UoL, the risks must be assessed and
logged in a risk log. Refer to the registers on SharePoint.
8.2.4 Frequency of risk assessment Existing risks are assessed no later than the review date or at least every 6 months.
New risks are considered if any of the following conditions arise:
Review the Risk Assessment:
After changes to infrastructure
After changes to processes
Following the identification of a weakness, non-conformity or incident
After changes to legislation
After changes to data sharing agreements or contracts
When new projects are being developed, but prior to becoming active in the IRC. Refer to the Information Security in Project Management Policy (A.6.1.5)
8.3 Information Security Risk Treatment
8.3.1 Applicability The Information Security Risk Treatment policy apply to users who treat IS and
governance risk within the scope of the IRC ISMS. They are also for use by the
IGMG, the IG Manager and the Data Protection Officer who oversee and prioritise
risk treatment plans and own residual risk.
8.3.2 Risk treatment Risk treatment involves reviewing, prioritising and implementing the risk-reducing
controls recommended from risk assessments. Risk treatment is cycle of
assessment and implementation, triggered by system, an incident, non-conformity,
legislation or improvement following an annual ISMS review. If relevant controls exist
these should be applied to minimise the risk. Further treatment in the form of new
controls should be submitted to the IGMG for approval. See Figure 8.3.2.1.
Information Security Management System
Page 25 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Figure 8.3.2.1 Flow chart for risk treatment
While it is improbable that all risk are eliminated, the IGMG will ensure that the most
appropriate controls are employed to reduce risk to an acceptable level using the
least-cost approach, with minimal adverse impact to the IRC. The IGMG are
authorised to choose to “Accept a risk” if appropriate.
Information Security Management System
Page 26 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
8.3.3 Risk Treatment Options The following treatment options can be applied to mitigate risk:
1. Risk Acceptance: Make an informed acceptance of the risk and continue
system operations or apply controls to lower the risk to an acceptable level.
2. Risk Avoidance: Eliminate the risk cause and/or consequence (e.g. forgo
certain system functions or shut down the system when risks are identified).
3. Risk Managed: Controls in place to minimise the adverse impact of a
threat’s exercising a vulnerability.
4. Risk Treatment Plan: Develop a risk mitigation plan that prioritises,
implements, and maintains controls.
5. Risk Transference: Transfer the risk by using other options to compensate
for the loss.
The situation will determine which risk treatment options are appropriate – none are
mutually exclusive. The IGMG approves the appropriate option for each risk and the
prioritisation of treatments, based on the risks that have been assessed to pose
greatest risk to IRC objectives. Any vendor security products and administrative
measures to be utilised are also selected based on compatibility with IRC objectives.
8.3.4 Residual risk Having implemented the selected controls, the residual risk will be recalculated in the
ISMS Risk log.
8.3.5 Risk ownership and review The IGMG will review the risk log as part of the IGMG meetings. The IGM is
responsible for ensuring that the DST conduct risk assessments and implement risk
treatment plans. The IGMG Chair takes overall accountability for risk levels,
assessment and treatment.
9.0 Performance Evaluation
9.1. Monitoring, Measurement Analysis and Evaluation Individual IRC processes are controlled and monitored, as per the appropriate IS
Management policies and measurement data is collated, analysed and reported by
the Information Governance Manager as follows:
Results from internal and external audit findings and reports and actions
identified in the non-conformance log.
Measurements taken to prove the ISMS objectives are being met.
Feedback from researchers, staff and 3rd parties.
Issues reported in the Incident Log.
Reports from Vulnerability & Penetration Logs.
Risk Log.
Information Security Management System
Page 27 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
Changes in legislation.
The evaluation process shall document any decisions and actions relating to:
An improvement of the effectiveness of the ISMS and its processes.
An update of the Risk Assessment and Risk Treatment Plan.
A changes to any ISMS procedures and controls in response to, for example,
changing business requirements, contractual arrangements, legal/regulatory
requirements, etc.
The Identification and approval of resource needs.
Changes to the information that is gathered to produce the KPI reports.
The IGMG meets quarterly to review the measurement data, internal and external
audit findings and prioritise improvement.
9.2 Internal Audit
IRC internal audits are conducted as per the audit schedule to provide information on
whether the ISMS:
1) Conforms to Internal and external security requirements.
2) Meets the requirements of ISO27001:2013.
3) Is effectively implemented and maintained.
The IGM shall:
a) Plan, establish, implement and maintain an audit programme, including the
methods, responsibilities, planning requirements and reporting. The audit
programme shall take into consideration the importance of the processes
concerned and the results of previous audits.
b) Define the audit criteria and scope for each audit.
c) Select auditors and conduct audits that ensure objectivity and the impartiality
of the audit process.
d) Ensure that the results of the audits are reported to relevant management.
e) Retain documented information as evidence of the audit programme(s) and
the audit results.
9.3 Management Reviews
The IGMG reviews the ISMS documentation: the Statement of Applicability, the
ISMS Clauses and the controls.
Minimum attendance at each meeting is: the Chair or Deputy Chair, DPO, IRC IGM,
DST Manager, a representative from a partner or key service user, the UoL Ethics
Boards and IT Service Management (or substitutes). Attendance from further IRC
Information Security Management System
Page 28 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
core users, data sources and UoL IT Security Group, Information Governance Group
and Legal Affairs Team are encouraged but optional depending on the agenda.
Reviews consider changes to external standards, industrial best practice and the
needs of service users.
The standard agenda includes:
1. Actions since previous reviews.
2. Summary of IS performance and objectives.
3. Internal audit update and review of new non conformities or observations.
4. IS incidents and corrective actions.
5. Summary of the risk log, issues and treatment.
6. ISMS review.
7. Opportunities for continual improvement.
8. Annual: review the relevance of the group, its management or
membership.
9. Any other business
All members are invited before each meeting to submit agenda items and supporting
papers. The agenda and previous minutes are circulated ahead of each meeting.
Meetings are documented in terms of their occurrence, attendance, topics
discussed, agreed decisions and assigned actions.
The outputs of the management review shall include decisions related to continual
improvement opportunities and any needs for changes to the ISMS. The
organisation shall retain documented information as evidence of the results of
management reviews.
9.3.1 Review Initiation Meetings occur quarterly, but are also triggered if a significant changes occur that
changes the risk, ISMS scope or undermines any current systems that are in place.
9.3.2 Applicability IGMG can request to review any clause or control that is in scope of the ISMS.
9.3.3 Audit Schedule An annual audit schedule can be found on IRC SharePoint Site.
Information Security Management System
Page 29 of
29
Version 2.1 Published 24/09/2019 Classification: IRC-Protect
ISMS Mandatory Clauses
10.0 Improvement
10.1 Non-Conformity and Corrective Action
The non-conformity and corrective action policy covers all identified non-conformities
and corrective actions associated with the IRC and covers:
Identifying and controlling non-conformities.
Determining the cause(s) of non-conformities.
Taking the appropriate corrective action to eliminate non-conformities.
Recording the action taken.
Reviewing the effectiveness of the corrective action taken in accordance with
the requirements of the International Standards 27001:2013.
Communicating the action with interested parties.
10.1.1 Reporting If a non-conformity is identified, by whatever method (e.g. risk assessment, audit, or
post-implementation review), the user must report the issue through the Reporting of
Security Weaknesses policy (A.16.1.3). If a breach of IS was discovered then refer to
the Reporting Information Security Events policy (A.16.1.2).
10.1.2 Recording If a non-conformity is identified during an internal or external ISO27001 audit, the
issue should be recorded in the ISMS Non Conformities Log and reviewed for action.
10.1.3 Corrective Action Corrective action can be defined as the action taken to rectify something that has
gone wrong or is not performing in line with expectations.
Corrective actions, such as immediate replacement and verification of non-
conforming system or process, are a priority order to minimise the risk to the UoL.
Where issues are likely to take time to resolve, regular review dates must be set
within the Non-Conformities Log.
Following a corrective action, the non-conformities log must be updated with the root
cause, the corrective action taken and the date of closure.
10.2 Continual Improvement
The IG Manager and the IGMG uses audit results, corrective and preventative
actions, risk assessments, analysis on incidents, monitored events and management
reviews of key performance indicators to continually improve the ISMS and the
technical security controls that are in place.