Sean Hughes, network security engineer with EMR is spearheading our efforts to secure ISO27001 accreditation. It’s an onerous task but one he’s clearly relishing.
Q: Tell us a little about the trigger behind EMR’s drive for ISO27001 certification.
A: I’m responsible for all things relating to security and a big part of that is ISO27001. It’s a big body of work but it’s obviously a very worthwhile certification to get and deserves the time and effort that goes into it. EMR sees the adoption of ISO27001 as a mechanism to protect EMR and our client information in a systematic and cost-effective way. It ensures confidentiality, integrity and availability through the adoption of an Information Security Management System (ISMS).
ISO27001 will provide a distinct market advantage, enabling us to tender for new business as it’s now becoming mandatory just like ISO9001, 45001 and 14001. It means we are more competitive and one of a select number of suppliers that make it to the tendering stage and that gives us an edge.
Q: How do you start a project of this scale?
A: We had a lot of groundwork done already. We currently have the Cyber Essentials certification and prior to my joining the team in February, we had put in place an Information Security Management System (ISMS) which is core part of ISO27001. It’s our central set of policies and procedures that have to be implemented and that’s part of the process and part of my role here as well.
Q: Where are we at in our ISO 27001 journey?
A: Well working backwards, our ISO27001 audit will be carried out during week of 6th of September. Week commencing 3rd August is when we have to have our documentation, i.e. our policies and procedures ready for review. On 4th July, we will formally launch ISO27001 certification internally. During that week, we’ll be rolling out our security awareness training workshops. It’s a big three days.
Q: How confident are you feeling about September?
A: There’s a huge amount of work to be done, but it’s a matter of everything you do every day builds towards a successful outcome. You use that to build up your body of evidence for the audit come September. For example, any time anybody wants to do a big change such as the work we’re currently doing on our firewalls, they have to update a change management document. And that goes into your body of evidence. We’ve also been working on access permissions so staff only get access to the resources they need to do their job and that’s been rolled out recently.
That’s one of the tenets of basic information computer security, it’s based on ‘need to know’. You only get access to what you need to know. You only get as much access as you require to do your job.
Q: Talk to me a little bit about the building blocks of ISO27001.
A: It’s an overall structure. It’s not just about information security policy. It pertains to every aspect of the business. Of course, you must have your policies and procedures and all of your information organised, for example policies such as Clean Desk / Clear Screen, BYOD, Password, Screen Lock, Joiners and Leavers and Removable Media. All of this comes into it.
Q. Can I presume there’s a big human element to this too?
A: Of course the training piece is so important to get everyone up to speed on those processes, making sure for example that they don’t use USB keys on the network or go off spinning up servers somewhere. People might think that these things are being restrictive but they need to be in order to adhere to the ISO27001 controls.
Every piece of a process is a control. For example, physical security is a control and we’ve done a lot of work on that in recent months with keypads installed everywhere and you can only get access to the building and certain rooms with a proper swipe card.
Q: Is there anything that you personally find very challenging in running this project?
A: Well, I suppose the most difficult aspect is getting people to buy into it, getting people to change the way they do things. And there’s always a reason why we ask them to do things a certain way and that reason is 27001. There’s processes that have to be put in place or else we don’t pass and that’s why the changes are happening. That’s why we’re doing the things we have to do. I believe people see that and the security awareness training should heighten it.