Information Security Management System (ISMS) Presentation ISO27001

[Audio] Welcome to this presentation about the ISO Twenty-Seven thousand and one Information Security Management System, or "ISMS". As part of the ISMS as we must ensure that everyone in the scope of it knows what it is, what it does, where to look for it, and what your responsibilities are..

[Audio] The first step is to explain that ISO twenty-seven thousand and one is a globally recognised security standard that provides a framework for best‑practice in protecting information in a structured, risk‑based way. By using this framework for identifying risks and applying controls we can demonstrate consistent, auditable, well‑governed security practices across the Trust. Having an ISO twenty-seven thousand and one certification shows commitment to strong security practices and continual improvement in how we protect people, systems, and data..

[Audio] A key part of the certification is the Information Security Management System, or I S M S. Through the I S M S we achieve the principles of Information Security which are, Confidentiality, Integrity, and Availability. Confidentiality means that the correct people see the correct information, Integrity means that the information is accurate and unaltered, Availability means that the information is available when needed. The I S M S is the collection of policies, procedures, processes, and responsibilities we use to manage information securely. It acts as the practical "operating system" for security—covering everything from risk assessments, incident response, and access control to training, governance, and compliance monitoring..

[Audio] We have the I S M S, and ISO twenty-seven thousand and one because it is a framework for information security, without it we could still work to the data security principles of ISO or adopt another framework such as NIST, however we have chosen ISO twenty-seven thousand and one and have held the certification for over 15 years. Working with the I S M S, means we have the framework to evidence that we look after information which is audited twice per year and if we are successful, we can display the ISO twenty-seven thousand and one badge to provide assurance to patients, suppliers, and other organisations that we provide good information security. Working with a framework also helps us meet UK Data protection legislation obligations and the NHS Data Security Toolkit..

[Audio] Who does the I S M S, apply to? The short answer is, if you are seeing this video, it applies to you! The I S M S has a defined scope that applies to all I M & T staff across IT, Information, Transformation, Governance and related functions—a broad but manageable scope for the team that operates the I S M S, which is why it does not extend to the wider Trust, where a significantly larger resource would be required to manage it effectively..

[Audio] There is no single location to find all the information that makes up the I S M S as it consists of different policies, meeting minutes, procedures, auditable evidence of compliance and so on. Primarily we have the Information Security policy which is on Nexus. Please ensure you can locate the policy and are aware of sections one to four as this will tell you about the Trust's commitment to Information Security, the purpose of the policy, our Information Security objectives and, importantly, your responsibilities. Supporting the Information Security policy are a range of local policies covering things like risk management, supplier management, employment, hybrid working and so on, a selection of these policies are available to view on the Information Security Sharepoint pages. To monitor Information Security, along with Digital risk and cybersecurity, there is a monthly meeting attended by members of I M & T Senior Management and the Chief Clinical Information Officer..

[Audio] As a member of staff in scope, you need to at least be aware of the location of the Information Security policy which you can find on Nexus, for further information you can view the ISMS policy which is available on the Intranet. These two policies will give you an overview of Information Security and your part in it. You must maintain the core values of Information Security which are confidentiality, integrity and availability, by thinking about security in everything you do. Think about how the information we hold in the Trust is kept safe and secure, think about how you ensure that the correct people see the information and think about how you can help to make it available for the people that need access to it..

[Audio] Make sure you complete your annual training before it is due as we monitor training compliance as part of the ISMS! And report any incidents, even if you're not sure so they can be investigated. Lastly, make sure you follow processes and procedures, an example of this is the joiners, movers and leavers process. When someone joins ensure that they signed the correct paperwork such as a confidentiality agreement, ensure they have the correct access, then when they leave ensure that their access been removed and equipment recovered..

[Audio] The Information Security Policy can be found on Nexus, go to the search document section then search the Information Security policy. I S M S policies can be viewed on the Information Security Sharepoint pages, click on I T and RIO Help & Support, then click Information Security and look for the ISO twenty-seven thousand and one Information Security Management System button..

[Audio] Thanks for listening, we hope this presentation was useful to you. If you want to know more, please contact Richard via email or Teams..