NHS Mersey Internal Audit Agency www.miaa.co.uk
Page Spacer
HOME OUR PEOPLE OUR SERVICES OUR LOCATIONS WHAT'S NEW WORKING FOR US CONTACT  
NHS MIAA Page Spacer

IM & T Assurance


ISO 27001 Implementation and Certification

Information is the lifeblood of any organisation.  Without access to accurate information at the right time, by the right people no organisation can succeed.  In this the NHS are no different to any other sector.  The importance of information is clearly evident in the delivery of patient care, clinicians needs access to patient records, to pathology results and to x-rays etc.  The absence of such information, or inaccuracies therein, can have a significant detrimental effect on the clinical care provide to patients.

On top of this remains the core management of the organisation, the need for up to date and accurate financial, activity and performance information etc.
Now, more than ever before, reliance is being placed on information systems to deliver the required information to the point of care or to the point of decision making, information is all pervasive and all important.

ISO 27001 the International Standard for Information Security (previously know as BS7799) is recognised as the gold standard in delivering and demonstrating information security.

The standard has been the de facto good practice guidance for the NHS for several years, though its take up to certification stage has been limited with only a small number of organisations working towards this formal, external recognition; most preferring to work within the somewhat less exacting security requirements set out in the NHS Information Governance Toolkit.

The benefits of formal certification, however, are significant.  Not only does certification demonstrate to the public and other stakeholders that appropriate levels of information security are embedded and delivered it also provides the framework within which staff use and manage information and provides, through its emphasis on managing risk, a tool for senior management to obtain robust and independent assurances regarding this key risk area; an assurance that the organisation can and does get the right information, to the right people at the right time.

How We Can Help

Certification to the standard is an exacting process requiring suitably skilled and experienced resources.  The benefits are using staff who have been through the process before cannot be underestimated.

MIAA worked closely with the NHS Information Authority in promoting BS7799 to the NHS and, at the time of its introduction to the service, delivered training to many organisations around the standard and its implementation, indeed Tony Cobain, our Head of IM&T Assurance, was, at the time, seconded to them on a part-time basis as the Deputy National Security Risk Manager.

As a result, we have worked with a number of NHS organisations within the North West who have achieved certification to the standard, and we continue to work with others who are progressing on this path.  With each we have provided support to by:-
• Managing the implementation project;
• Undertaking the initial risk assessments using CRAMM software;
• Providing a tailored, complete information security management system (ISMS) documentation set to the meet the standards and needs of the organisation;
• Providing training and awareness raising to key staff;
• Undertaking a mock certification audit;
• Undertaking technical security audits; and,
• Liaising with the external certification auditors.

As with all of our services, however, our solutions are tailored to meet the needs of the client.  We would be happy to discuss your needs in this area and to develop a solution to meet them.

For more information please contact us.


 


Internal Audit

Consultancy

Training & Development

Capital
Organisational Development

Foundation Trusts

Anti Fraud



Delivering IM & T Assurance





Tailoring a solution to meet your needs
© NHSMIAA 2009