Red Island Consulting
ISO Standards Executive Briefing to UKeHA Special Interest Group
Management System Specialists
11/16/2009 4:11:25 AM. 1 11/16/2009 4:11:25 AM
ISO 9001, ISO 20000, ISO 27001
• What are they? • What are the benefits? • What are the NHS saying? • How does that affect your organisation?
11/16/2009 4:11:25 AM. 2
ISO 9001 – Best Practice in Quality Management
What is it? • ISO 9001 is the internationally recognised standard for the quality management of businesses. • It applies to the business processes that create and control the products and services an organisation supplies. • It prescribes systematic control of activities to ensure that the needs and expectations of customers are met. • It is designed and intended to apply to virtually any product or service, made by any process anywhere in the world. • Largely an installed base (35,000 UK registrations) • Yesterday’s news?
11/16/2009 4:11:25 AM. 3
What are the benefits? • Implementing a Quality Management System will motivate staff by defining their key roles and responsibilities. • Cost savings can be made through improved efficiency and productivity, as product or service deficiencies will be highlighted. • From this, improvements can be developed, resulting in less waste, inappropriate or rejected work and fewer complaints. • Customers will notice that orders are met consistently, on time and to the correct specification. • This can open up the market place to increased opportunities.
11/16/2009 4:11:25 AM. 4
What are the NHS saying and how does it affect you? NHS Purchasing and Supply Agency advocate best practice
Do you supply product? Office Furniture, IT hardware and Software, Medical Equipment & Supplies, Foodstuffs, Call offs etc..
• • • • Does the NHS care about quality of these products? Does it care about customer service it receives? Do they want to track orders placed? Is it mentioned on tenders?
ISO 9001 could be important
11/16/2009 4:11:25 AM. 5
ISO 20000 – Best Practice in IT Service Management
What is it? • The formulation of ITIL practices into an international standard • Management of 13 key IT services to meet business requirements (predominantly internally focused) • Specifies a number of closely related processes that brought together will help ensure that an organisation delivers managed IT services to its internal customers • Comprehensive but not exhaustive • Planning, implementing, monitoring, improvement of new and changed services
11/16/2009 4:11:25 AM. 6
13 Key Processes
Service Delivery Processes
Capacity Management Service Level Management Service Continuity & Availability Management Service Reporting Information Security Management Budgeting & Accounting for IT Services
Incident Management Problem Management
Business Relationship Management Supplier Management
11/16/2009 4:11:25 AM. 7
What are the benefits? • • • • • • • • A consistent approach to service management IT service provision becomes measurable and accountable Consistent levels of service are agreed Improved communication flows between IT and the business IT gain better understanding of the business requirement Reduced risk of business failure A reduction in the number of avoidable and repeat incidents Higher availability of systems and services
11/16/2009 4:11:25 AM. 8
What are the NHS saying and how does it affect you? • The NHS uses ISO 20000 as a requirement for outsourced IT services in its larger contracts. Only companies with ISO 20000 accreditation will be considered – source BSi • National Programme for IT Service Management (NPfIT SM) has specified ISO20000 for its suppliers (Local Service Providers etc.) - source ‘The role of the NPfIT interim Helpdesk’ • NPfIT SM have recommended ITIL is adopted throughout the NHS for service management activities within Cluster Offices, SHA’s and all Trusts • Are you an Application Service provider? • Do you provide Helpdesk services to NHS clients? • Does ISO 20000 appear on tender documents? ISO 20000 could be important
11/16/2009 4:11:25 AM. 9
ISO 27001 – Best Practice in Information Security
What is it? • A risk assessment of the threats to an organisations/customer information assets • Selection and implementation of effective and relevant policy and control • Continuous review and effective improvement • Total information security risk management; – Risk Allocation- contracts,SLA’s etc. – Risk Mitigation-Security and control practices – Risk Transfer-Insurance & Liability – Risk Assurance- audit & certification – Risk Acceptance-formal, transparent • Protects the confidentiality, integrity and availability of organisational/third party information
11/16/2009 4:11:25 AM. 10
What are the benefits? • Reduction in possibly damaging/embarrassing information leaks and failures • Total risk mitigation, security of brand equity • Reduction in costs due to fewer security incidents • Contractual compliance (NHS Contracts) • Move risk to third parties • Common policies and control across the whole organisation • Increased staff awareness, involvement and empowerment • Better monitored and audited systems and information flows • The risk of prosecution is significantly reduced • Systemised for life • Protects Board, staff and organisation • It’s big in the NHS!!!
11/16/2009 4:11:25 AM. 11
What are the NHS saying and how does it affect you? • Recommended by CfH for all Trusts • Underpins NHS Trust’s Information Governance directives (Caldicott etc.) • Demonstrates compliance to N3 code of connection • Contractual obligation for NPfIT Local Service Providers (LSP’s) • Obligatory for sub contractors of application services (PAC’s, RIS, PAS etc) through LSP’s • Contractual obligation for suppliers to the Extended Choice Network (ECN) • Recommended/obligatory for Independent Sector Treatment Centre providers • Recommended for all organisations exposed to Patient Identifiable Information and/or hospital information
11/16/2009 4:11:25 AM. 12
What are the NHS saying and how does it affect you? • • • • • Do you have access to Patient Identifiable Information? Do you contract to LSP? Are you connected to NHS networks? Do your staff work at NHS sites? Does ISO27001 appear on tender documents?
ISO27001 could be Essential
11/16/2009 4:11:25 AM. 13
The ISO P-D-C-A Model
11/16/2009 4:11:25 AM. 14
Information is the lifeblood of an organisation. Identifying and protecting that information is the essence of ISO27001 Information Assets exist in many forms:
– Content, container, carrier – Databases, applications, registries & IT systems – Legal, Board & Organisational records – Intellectual property – Reputation – People
There are three aspects of Information Security:
– Confidentiality- Protecting information from unauthorized disclosure – Integrity- Protecting information from unauthorized modification and ensuring accuracy and completeness. – Availability- Ensuring information is available when you need it
11/16/2009 4:11:25 AM. 15
Information Risk Management Board directors and executive management have a duty to protect the organisation’s information assets from risk. Once identified, a thorough Risk Assessment on these assets in accordance with ISO27001 will show how. – Risk Allocation- contracts,SLA’s etc. – Risk Mitigation-Security and control practices – Risk Transfer-Insurance & Liability – Risk Assurance- audit & certification – Risk Acceptance-formal, transparent A thorough risk assessment of your information assets provides the basis for your Information Security Management System (ISMS).
ISO27001-Your security strategy.
11/16/2009 4:11:25 AM. 16
ISO27001-Seven key steps to certification
• Asset ID • Business Impact Analysis • Risk Assessment • Risk Treatment Plan • Policy & Procedure Documentation (ISMS) • Implementation & Awareness • Certification Audits
11/16/2009 4:11:25 AM. 17
3 Tiers of an ISMS (typically)
Policy & Guidance-Applies to all staff
– Email & internet – Handling information – Reporting incidents/weaknesses
Controls & Procedures-Applies to specific functions
– Data back up, AV, build, change control, firewalls-IT – Recruitment, training, staff starter/leaver-HR – Compliance with contracts/SLA’s, legislation-Legal
Maintaining & monitoring ISMS
– Security Forum-Each function/Dept represented – Internal audits – Investigating and learning from security incidents/weaknesses – Security Officer
The ISMS will change organically with the organisation to ensure continual improvement
11/16/2009 4:11:25 AM. 18
Red Island Consulting Europe’s leading providers of ISO27001 certification services • ISO27001:2005 Certified • ISO27001 Lead Auditors • S-cat listed (as part of The Xansa Consortium) • BSI Associate ISO27001 Consultancy Scheme member • SGS approved consultants • HMG GSi & NHS N3 connectivity auditors • Cabinet Office ITPC Scheme approved third party training provider • (ISC)² CPE Scheme approved third party training provider • UK’s only UKAS/IRCA approved 5 day ISO27001 Lead Auditor Course • CESG CLAS approved Information Security Consultants as members of the CESG listed advisor scheme • Sponsor members of the British Quality Foundation
11/16/2009 4:11:25 AM. 19
Any Questions ?
11/16/2009 4:11:25 AM. 20