So begins the start of a refreshed effort to find the practical or working examples of how to implement 27001 which have so far evaded me. What does it mean for the way my shredding business should handle personal data and comply with legislation such as the Data Protection Act and the WEE Directive?
I start to give Google a pummelling. There really aren’t many links that look like they are going to give me what I want. So I end up going very deep – to search results 80 and above and opening tens of documents including ones on information assurance, the Cabinet Office and risk management – in pursuit of my goal.
What I really want to find is an Information Security Manual for a small or mid-size organisation which somebody has published on their website – one which is a bit more friendly that the one from the IT Governance Toolkit trial. I am aware that organisations shouldn’t publish such things on their website –particularly those involved security – as letting the public know about their security systems obviously isn’t a good idea. But I am expecting to find something out there in cyberspace – you can find almost anything else!
The first useful looking document is an Information Security Manual produced by the Pennine Care NHS Trust. This is clearly the kind of thing that I am looking for but it doesn’t strike me as particularly friendly. The first two sides are about “Policy Document Control” and then the index comprises pages 3-5. I have seen this kind of thing before from the Cabinet Office and CESG. The first actual prose appears on page 6:
1.1 The Trust has a duty to protect its information assets and thus to ensure business continuity and minimise the adverse effects of securityincidents. Information assets and the IT systems that support them arebecoming increasingly more vulnerable as the potential for wideraccessibility is facilitated via more powerful computers and communications networks.
1.2 Any loss of the ability to access information could have a significanteffect on the efficient operation of the Trust and may result an inabilityto provide services to patients and financial loss to the Trust.”
These are to me statements of the very obvious, the like of which feature widely in many ISO 27001 documents I have seen. I know they have to be there but doesn’t their continued use and repetition run the risk of making the user, who should be interested in their content, just switch off?
The document continues for 47 pages. There are guidelines here for information assurance practices including the setting of passwords and controlling access to buildings. However, its difficult to determine the structure of the document and how it fits into an overall framework. It is on the right lines of what I am looking for but it is for a very sizeable organisation. I move on.
The next document which catches my eye is an Information Security Business Manual from NHS Wales. This is in Word and is clearly a template with blanks or red text which can be filled in by different NHS branch offices to suit their needs. It’s a lot shorter than the Pennine document at only 24 pages.
Some terms used are ery familiar such as “Senior Management Team”. We then get onto “ISMS Operational Forum Membership” which sounds very corporate and, stone me, Plan/Do/Check/Act (PDCA) model with a little chart makes an appearance on Page 10!
The good thing about this document though is its length. It has some slightly scary headings such as those mentioned above but it strikes me (although I can’t be sure) that somebody has spent a lot of time simplifying things and reducing them down to produce a very well put together template that will save an NHS departmental manager a lot of time in producing an Information Security Manual. Whether the person producing the manual would understand what they were doing beyond filling in the blanks I am not sure. In other words, this document is a bit like doing dot to dot. You join the dots (or fill in the blanks) but can you see the whole picture when you’re finished? Ok, not exactly what I want, but I keep it because it could be useful.
I am aware that the NHS has a lot of data handling procedures and it computers hold a lot of personal data. No central, London based government department seems to have produced similar guidance. The NHS are good potential customer for our CCT Mark Certified service which we have just formally submitted to CESG and the Cabinet Office office.
Based on historical diary entries .