Information Security Management System: Integrated Research Campus

Integrated Research
Campus
Information Security Management

System
ISMS Mandatory Clauses

Information Security Management System
Document Information
Reference ISMS 27001

Category Information Security Management System (ISMS)
Documents
Title ISMS Mandatory Clauses
Purpose Defining the mandatory clauses that make up the ISO27001
Owner Information Governance Management Group (IGMG)
Author Charles Hindmarsh
Compliance ISO 27001
Review plan Annually
Related Documents University of Leeds Information Protection Policy
A.5.0 Information security policies
A.6.0 Organisation of information security
A.7.0 Human resources security
A.8.0 Asset management
A.9.0 Access control
A.10.0 Cryptography Controls
A.11.0 Physical and environmental security
A.12.0 Operations security
A.13.0 Communications security
A.14.0 Systems acquisition, development and maintenance
A.15.0 Supplier Relationships
A.16.0 Information security incident management
A.17.0 Information security aspects of business continuity
management
A.18.0 Compliance
Version History
Change
Version Date Update by Sign off Date
description
Samantha
Barry Haynes
1.0 27/06/2016 Crossfield / Initial version 20/10/2016
(Chair of IGMG)
David Batty
Charles New format of Andy Pellow
2.0 28/02/2019 22/03/2019
Hindmarsh ISMS (Chair of IGMG)
Updated 1.2,
1.4, 4.1-4.4,
Charles Andy Pellow
2.1 21/09/2019 5.2, 6.2, 7.3, 24/09/2019
Hindmarsh (Chair of IGMG)
7.4, 8.1, 8.2.2,
10.2,
Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

1 of
29 ISMS Mandatory Clauses
Contents
0.1 Introduction .....................................................................................5

Purpose................................................................................................................... 5
Applicability ............................................................................................................. 5
The IRC Information Security Management System ............................................... 5
1.0 Scope ...............................................................................................6
Figure 1..................................................................................................6
1.1 Zones ................................................................................................................ 7
1.2 Infrastructure ..................................................................................................... 7
1.3 People ............................................................................................................... 8
1.4 Services ............................................................................................................ 8
1.5 Information Assets ............................................................................................ 8
1.6 Scope Interplay ................................................................................................. 8
2.0 Normative References ....................................................................9
3.0 Terms and Definitions ....................................................................9
4.0 Context of the Organisation ...........................................................9
4.1 Understanding the Organisation and its Context ............................................... 9
4.2 The Needs and Expectations of Interested Parties ......................................... 10
4.3 Determining the Scope of the Information Security Management System ...... 10
4.4 Information Security Management System ..................................................... 11
5.0 Leadership..................................................................................... 12
5.1 Leadership and Commitment .......................................................................... 12
5.2 Policy .............................................................................................................. 12
5.3 Organisational Roles, Responsibilities and Authorities ................................... 13
5.3.1 Information Governance Management Group Chair ................................. 13
5.3.2 The Data Protection Officer (DPO) ........................................................... 13
5.3.3 Information Governance Manager (IGM) .................................................. 14
5.3.4 Accountability and lines of reporting ......................................................... 14
6.0 Planning......................................................................................... 14
6.1 Actions to Address Risks and Opportunities ................................................... 15
6.2 Information Security Objectives ...................................................................... 15

2 of
7.0 Support .......................................................................................... 17

7.1 Resources ....................................................................................................... 17
7.2 Competence.................................................................................................... 17
7.3 Awareness ...................................................................................................... 17
7.4 Communication ............................................................................................... 18
7.4.1 Communication Recipients and Triggers .................................................. 18
7.4.2 Communication Scope .............................................................................. 18
7.4.3 Communication Responsibilities ............................................................... 18
7.4.4 Communication Channels ......................................................................... 19
7.4.5 Audience ................................................................................................... 19
7.4.6 Communication actions ............................................................................ 20
7.5 Documented Information ................................................................................. 20
7.5.1 General ..................................................................................................... 20
7.5.2 Creating and Updating .............................................................................. 20
7.5.3 Control of Documented Information .......................................................... 21
8.0 Operation ....................................................................................... 22
8.1 Operational Planning and Control ................................................................... 22
8.2 Information Security Risk Assessment ............................................................ 22
8.2.1 Impact Definition: ...................................................................................... 23
8.2.2 Risk assessment scope ............................................................................ 23
8.2.3 Risk log ..................................................................................................... 24
8.2.4 Frequency of risk assessment .................................................................. 24
8.3 Information Security Risk Treatment ............................................................... 24
8.3.1 Applicability ............................................................................................... 24
8.3.2 Risk treatment........................................................................................... 24
8.3.3 Risk Treatment Options ............................................................................ 26
8.3.4 Residual risk ............................................................................................. 26
8.3.5 Risk ownership and review ....................................................................... 26
9.0 Performance Evaluation ............................................................... 26
9.1. Monitoring, Measurement Analysis and Evaluation ....................................... 26
9.2 Internal Audit ................................................................................................... 27
9.3 Management Reviews..................................................................................... 27
9.3.1 Review Initiation ........................................................................................ 28
9.3.2 Applicability ............................................................................................... 28
9.3.3 Audit Schedule.......................................................................................... 28

3 of
10.0 Improvement ............................................................................... 29

10.1 Non-Conformity and Corrective Action .......................................................... 29
10.1.1 Reporting ................................................................................................ 29
10.1.2 Recording ............................................................................................... 29
10.1.3 Corrective Action .................................................................................... 29
10.2 Continual Improvement ................................................................................. 29

4 of
0.1 Introduction
Purpose
The Integrated Research Campus (IRC) is a University of Leeds (UoL) IT provision.
The IRC provides secure technical infrastructure and services for research data
handling, analytics, application processing and development. This document
contains the mandatory clauses for the IRC Information Security Management
System (ISMS) and define the goals, context and scope of the IRC ISMS as well as
the ISMS objectives and requirements for information security.
Applicability
The ISMS applies to all users and providers of IRC services and infrastructure. All
users must comply with the ISMS policies. The essential requirements are released
through frequently used documents such as the IRC user agreement, the Research
Portal (Intranet), work instructions, project proposals, data management plans and
risk assessments. This document will be used by those staff who are responsible for
maintaining, reviewing and improving the ISMS.
The IRC Information Security Management System

The ISMS sets information security (IS) as a key element of the mission statement of
the IRC. The ISMS is designed to protect IRC reputation and capacity by maximising
IS throughout the data lifecycle. The ISMS defines the appropriate management,
control and treatment of risks to preserve the confidentiality, integrity and availability
of information.
An aim for the ISMS is recertification to ISO / IEC 27001:2013 and the NHS Data
Security Protection Toolkit. The certifications serve to externally validate that IS best
practice has been adopted. Previously Version 14 of the NHS IG Toolkit was
reviewed by NHS Digital (21 March 2017). Accredited certification to ISO
27001:2013 was attained on 15 May 2017 (Certification number 15331-ISN-001).

5 of
1.0 Scope
The ISMS scope encapsulates the space that meets the organisation’s needs for
secure data handling. This corresponds to the reach of the IRC secure research
environment and the services conducted therein, regardless of location, provider or
user. The IRC’s Statement of Applicability details the controls that have been
selected to treat identified risks, and provides a justification for the inclusion of each
of the 114 controls listed in Annex A of the ISO 27001:2013 Standard. Figure 1.0.1
summarises the scope and the governance structure that the IRC resides in.
The ISMS objectives apply to all in-scope elements. There is mandatory compliance
with the ISMS within this scope. Exceptions must be handled as set out in 10.1 Non
Conformity and Corrective Actions.
Figure 1.0.1: Representation of the IRC Services (yellow), Governance (blue)

and Processes (green)
Figure 1.0.1 shows the ISMS scope and how it fits within the University and wider
legislation and standards. The ISMS scope is defined by the blue dashed line.

6 of
1.1 Zones
IRC zones are numbered 1-5 in Figure 1.0.1 :
1. Gateway – the gateway zone between the other IRC zones and the external
environment. Data passes through here in order to move between zones or to
enter or leave the IRC.
2. Data Services – core data services are provided from this zone to users,
including access, provisioning, management and support services.
3. Safe Rooms - secure and managed rooms providing monitored access to data.
4. Virtual Research Environment (VRE) – firewalled virtual machines that are set
up for users with appropriate software, applications and data access. VREs are
remotely accessed.
5. IRC Data Storage – the zone in which research data is securely stored.
1.2 Infrastructure
1.2.1 Infrastructure in scope in Figure 1.0.1 :
1. Infrastructure in the Gateway (Zone 1) includes:
a. Interfaces, such as a secure web server for uploading data.
b. External facilities used in providing secure data services where they are
brought in scope by either :
i. Formal agreement or
ii. ‘Take-over’ of facilities as set out in A.11.2.6 security of offsite
equipment policy.
2. Infrastructure in the Data Services (Zone 2).
3. Infrastructure in the Safe Rooms (Zone 3), including thin client computers.
4. Infrastructure in the VRE (Zone 4), including the software and applications in
each virtual machine.
5. Infrastructure in the Data Storage Zone, used to deliver storage services
6. Networking / Telephony Systems supporting Zones 1 to 5.
The above zones will be referred to in all ISMS documentation as the “IRC
infrastructure”.
1.2.2 Infrastructure out of scope:

1. Systems that receive data from the IRC, such as external High Performance
Computing (HPC), web applications or the “Visualisation Suite” for graphics-
intense work.
2. Devices or services used to capture data relayed to IRC infrastructure and
includes scanners, gene sequencers, websites and applications.
3. Devices used to access the IRC infrastructure (including desktops, laptops,
tablets and smart phones) and their locations.

7 of
1.3 People
1.3.1 People in scope:
1. Members of the DST (based in Zone 2).
2. Users such as researchers, clinicians and analysts while they are using a) the
IRC infrastructure or b) an application that calls upon the IRC infrastructure. A
user agreement must define the elements of the ISMS that pertain to the user.
3. IT and support staff and contractors working on the IRC infrastructure. Contracts,
service and operating level agreements must accord with the ISMS.
4. Suppliers and data providers who enter a contractual agreement with the IRC.
1.3.2 People out of scope:

Users, IT and support staff, Human Resources (HR) and data providers while they
are not interacting with IRC infrastructure.
1.4 Services
1.4.1 Services in scope:
Services delivered on IRC infrastructure can be summarised as data capture,
process, access and storage services, including:
1. Checking and loading of data to / from the secure file transfer system, and
ensuring the transfer complies with any Data Sharing (DSA) or Data
Processing Agreements (DPA) and or Data Management Plans.
2. Development and destruction of virtual machines and access rights.
3. Data transformation, linkage and management.
4. Auditing of the use of IRC infrastructure.
5. Servers and PCs that reside on the IRC infrastructure.
6. Data held in storage or in suspension within the IRC.
1.5 Information Assets

1.5.1 Information assets in scope:
Data held on IRC infrastructure – from entry to exit via the IRC Gateway or until
deletion.
1.5.2 Information out of scope:

Data held beyond the scope of the IRC infrastructure.
1.6 Scope Interplay
Projects usually involve movement of data in and out of scope of the ISMS and
transfer must be handled according to the Information Transfer policy (A13.2).

8 of
2.0 Normative References

1. NHS Digital Data Security and Protection Toolkit https://www.dsptoolkit.nhs.uk/
2. ISO/IEC 27001:2013 - http://www.iso.org/iso/home/standards/management-
3. General Data Protection Regulation - https://gdpr-info.eu/
4. Cyber Essentials - https://www.cyberessentials.ncsc.gov.uk/
5. The Information Commissioner’s Office - https://ico.org.uk
3.0 Terms and Definitions

For the purpose of the ISMS, the following definitions have been used:
Term Description
Information Information includes, but is not limited to, any data printed or
written on paper, stored electronically, transmitted by post or by
electronic means, stored on tape or video, or spoken in
conversation.
Confidentiality Ensuring that information is accessible only by authorised
individuals.
Integrity Safeguarding the accuracy and completeness of information and
ensuring data is not modified without proper authorisation.
Availability Ensuring that authorised users have access to the relevant
information whenever required.
IGMG Information Governance Management Group
LIDA Leeds Institute for Data Analytics
SMT Senior Management Team
ICO Information Commissioner’s Office
PSD Patient Specific Directions
HRC Health Research Council
MRC Medical Research Council
IRC Integrated Research Campus
DST Data Services Team (Part of IT)
IG Information Governance
VRE Virtual Research Environment (a secure server)
DPA Data Processing Agreement
DSA Data Sharing Agreement
4.0 Context of the Organisation
4.1 Understanding the Organisation and its Context

The University provides the IRC, which is secure storage and virtual computing
power for to processing confidential and highly confidential data. The IRC is
segregated from the rest of the University’s computing services and from the
internet.
LIDA and other areas within the University draws together research groups and data
scientists with external partners to undertake data-intensive research within the IRC.

9 of
Data being captured includes geographic, socio-economic, consumer, social, patient

and clinical information.
The nature and sensitivity of the data that is processed within the IRC means that
the security systems and policies and data processing actives must be secure and
robust.
4.2 The Needs and Expectations of Interested Parties

Increasing data diversity raises differing requirements for data handling in terms of
information security, governance and data protection. Our interested parties depend
on the University to deliver secure data handling services and practices that comply
with legislation and appropriate practice governance standards. The ISMS and our
practices can be scrutinised by their auditors on request.
Our interested parties include, but not limited to:
1. Information Governance Management Group (IGMG)

2. Leeds Institute for Data Analytics (LIDA)
3. Research Funders
4. Data Providers
5. Academics
6. UoL Audit & Risk Committee
7. UoL Protection Group
8. UoL Security Group
9. UoL Data Services Team (DST)
10. Information Commissioner’s Office (ICO)
11. Health Research Council (HRA)
12. Users of the IRC
13. Media
14. UoL IT Services
15. Alcumus ISOQAR
16. NHS Digital (NHSD)
17. Public Health England
Details of the IRC’s communication with interested parties can be found in Clause
7.4.
4.3 Determining the Scope of the Information Security Management

System
The IRC is a UoL IT platform and is both shaped by and contributes to the UoL’s
strategy, research objectives, operational processes and management structures.
The IRC provides Leeds Institute of Data Analytics with infrastructure, training and
data services required for secure data handling in research

10 of
The IRC systems, services and operations (See Figure 1.0.1) are designed to
prevent and minimise security incidents to avoid unauthorised disclosure that could
lead to commercial, personal or reputational damage. These include:
1. Data capture, review and release (gateway) services that are operated by the
DST.
2. Data storage facilities that are segregated from other University campus IT
systems. See Access to Networks and Network Services (A.9.1.2).
3. Data processing servers and services including data cleansing, transformation,
linkage, de-identification, backup and destruction.
4. Multi Factor Authenticated access to data in a VRE that is regulated and
monitored.
5. Secure File Transfer systems that are controlled by the DST.
There are a number of relevant internal and external issues, which may impact on
the IRC’s ability to meet the objectives of the ISMS. These include:
Internal External
Physical Security: Protection against theft Physical Security: Protection against
from within the UoL. theft from outside the UoL.
Culture: A commitment to information Client/Customer Requirements:
security amongst staff and researchers Protection of their information as
specified within the Data Sharing
Agreements.
Staff: Retention of key, competent Legislative or Regulatory Change:
employees to fulfil ISMS responsibilities Ability to adapt and react swiftly to
change and adopt new standards and
guidelines
Acceptable Use: Adherence by staff and Environmental Risks: Protection
researchers to the terms of the IRC against fire, flood, or other disasters
agreement which could affect business continuity
Organisation Structure: Ability to adapt Interruption to
and react swiftly to change and adopt new Utilities/Communications:
standards and guidelines Contingency in the event of power or
telecoms failure
Risk Management: Ability to manage risk Risk Management: Ability to manage
to an acceptable level, taking into account risk to an acceptable level, taking into
cost and the expectations of interested account cost and the expectations of
parties clients and authorities
4.4 Information Security Management System

The IRC’s ISO27001:2013 Information Security Management System is being
implemented and continuously improved. The ISMS contains 14 security control
documents that collectively contain a total of 35 security categories. A set of 15

11 of
documents makes up the ISMS that are named in Policies for Information Security
(A.5.1.1).
Where additional operational detail is required, these can be can be found in

separate work instructions as per the Documented Operating Procedures Policy
(A.12.1.1).
The ISMS is regularly audited and all findings, risks, incidents and vulnerabilities are
recorded along with recommended improvement plans for oversight by the IGMG.
5.0 Leadership
5.1 Leadership and Commitment

The IGMG is responsible for ensuring all information governance risks are
appropriately managed and monitored through the IRC ISMS. The IGMG comprises
of representatives from:
1. The UoL Information Governance Group.

2. The UoL IT Services.
3. The UoL IT Assurance Team.
4. The UoL Legal Affairs Team.
5. Partner representatives from Faculties, Centres and Users.
The UoL representatives bring the expertise to ensure that IGMG leads in
accordance with industry standards, legal requirements and UoL objectives. See 5.3
for Organisational Roles, Responsibilities and Authorities.
5.2 Policy
IGMG ensures the policies are relevant to the IRC, the University and that they
comply with the requirements of our data providers and interested parties.
The policy objectives (See Table 6.2.1: IS Objectives) of the ISMS are as follows:
1. Information is protected from a loss or breach, of confidentiality, integrity

and availability.
2. Information Security (IS) risks are identified, assessed and managed
through the risk assessment and treatment policy.
3. Policies and controls exist to mitigate against the risks identified and their
effectiveness is measured and reviewed.
4. Incidents are recorded and used to drive improvement.
5. Current regulatory and legislative requirements are met.
6. Training in all elements of the IS Management System is available to all
users, as relevant to their roles.

12 of
7. The ISMS complies with the ISO 27001:2013 and the NHS Data
Protection and Security Toolkit and is regularly reviewed and continually
improved.
The policies are reviewed at least annually or following a significant change to

ensure there is ongoing continual improvement. The policies are shared and
communicated with all researchers and interested parties as needed.
5.3 Organisational Roles, Responsibilities and Authorities

Members of IGMG fulfil the roles defined in Figure 5.3.0, and have specific
responsibilities for ensuring that the ISMS is in place and policies are followed. Other
members provide advice through group meetings and proportionate reviews as
required.
Figure 5.3.0 Three key roles in the IG Management Group
High-level responsibility for IS across the IRC, through its

IG Management infrastructure, processes and staff.
Group Chair
Responsibility for ethical-legal policies and training that ensure
IRC Data appropriate data access, maintain confidentiality and data
Protection integrity, and information governance
Officer
IRC Information
Governance Responsibility for the development and implementation of
policies regarding IS among staff and infrastructure, including
Manager monitoring, assessment and training
5.3.1 Information Governance Management Group Chair

The IGMG Chair is accountable for the IRC IG structure and its practice and ensures
that the ISMS is fit for purpose. They have overall responsibility for ensuring IS is in
line with industry best practice and for directing continual improvement in the ISMS.
5.3.2 The Data Protection Officer (DPO)

The DPO brings expert knowledge of data protection law, standards and practices.
They ensure that the ISMS contains relevant policies for maintaining and auditing
data privacy.

13 of
5.3.3 Information Governance Manager (IGM)

The IGM brings expert knowledge of ISO27001, the NHS Data Protection and
Security Toolkit, the requirements of sponsors and third parties that IRC is working
with. The IGM has knowledge of the practices and policies of IRC and ensures
audits are carried out to fulfil the ISMS requirements.
The IGM guides the IGMG in reviewing the ISMS to ensure the ongoing protection of
information assets, technologies and data privacy.
5.3.4 Accountability and lines of reporting

The UoL IT Security Group and Information Protection Group
are responsible for ensuring the protection of information
assets within the University. The UoL Senior Information Risk
Owner (SIRO) is a member. The groups receive reports from
the IGMG chair regarding IRC activities, incidents and ISMS
reviews in relation to IT security and information protection.
In the context of the UoL Information Governance structure, the

IGMG is responsible for setting, maintaining and overseeing
the IRC ISMS.
The DST is accountable for delivery of the ISMS, under the

oversight of the IGMG. The team maintains an inventory of
information and assets associated with information and its
processing that are on the IRC. The team is accountable for
processing the ownership, use and return of these assets. The
DST ensure Information Security is assessed throughout
project management for all IRC projects.
Employees, users and contractors must adhere to the ISMS.
6.0 Planning
A project and project risk assessment work instruction defines the procedures for
identifying and classifying information risk for projects that propose to use IRC
resources. The mandatory clauses and supporting controls set the criteria against
which risk is considered and the risk acceptance level (Clause 8.2). The ISMS
contains a standardised approach for selecting appropriate controls for risk
management that also include when and how the assessments are performed and
reviewed. The ISMS does not cover non-technical or health and safety risk
assessment processes, which are set at UoL faculty level.

14 of
6.1 Actions to Address Risks and Opportunities

Clause 8.2 defines when and how assessments are performed, treated, reviewed
and sets a standardised approach for selecting appropriate controls for risk
management.
6.2 Information Security Objectives

The IRC objectives are set out in Table 6.2.1: IS Objectives and summarised here:
1. Information is protected from a loss or breach of confidentiality, integrity and

availability.
2. IS risks are identified, assessed and managed through the IRC Risk Assessment
policy and IRC Risk Treatment policy.
3. Policies and controls exist to mitigate against the risks identified and their
effectiveness is measured and reviewed.
4. Current regulatory and legislative requirements are met.
5. Training in all elements of the IS Management System is available to all
employees and researchers, as relevant to their roles.
6. The ISMS complies with the ISO 27001:2013 standard and is regularly reviewed
and continually improved.
7. The ISMS supports compliance with the NHS Data Security and Protection
Toolkit.
The IGMG reviews these objectives at least annually to ensure they remain current
and valid.
To measure these objectives, Key Performance Indicators (KPI) with targets have
been created and are reviewed at least annually by the IGMG. The Information
Governance Manager will ensure that the data is captured and made available at
quarterly IGMG meetings.

15 of
Table 6.2.1: IS Objectives
ISMS Objectives KPIs Target

None over 1 month old that
1.1 Number of 'High' incidents
are neither accepted nor
reported and recorded on the
being
Incident Log
1. Information is protected from a addressed
loss, or breach, of confidentiality, 1.2 Number of unaddressed
None over 1 month old that
integrity and availability. CRITICAL & HIGH findings
reported during penetration
being
testing (shown as average per
addressed
test)
0% over 6 months old that
2.1 Number of Critical & High
risks as
being
percentage of total risks
2. IS risks are identified, addressed
assessed and managed through 2.2 Effectiveness of Risk
the IRC Risk Assessment and Treatment 100% of entries to have
Treatment processes Plans (percentage reduction in Treatment Plan & Review
risk Date populated; Accept Date
score total after treatment plan is no later than Review Date.
implemented)
3. ISMS policies and controls
exist to mitigate against the non- 3.1 Number of internal ISMS audit Less than 8 over 6 months
conformities identified and their findings that have not been old that are neither accepted
effectiveness is measured and addressed nor being addressed
reviewed.
4.1 Number of penalties enforced
4. Current regulatory and
by any regulatory or No Penalties
legislative requirements are met.
governmental body
5.1 IS-related training is delivered
to
5. Training in all elements of the
all employees and researchers Zero gaps or overdue training
IRC IS Management
which is appropriate to their roles on the training register.
System is available to all
5.2 Number of issues on IS
employees and researchers as
Incident
relevant to their roles
Log with a training-related root
cause, as percentage of all issues Less than 10%
6.0 Number of non-conformities
identified by a certification auditor
in the annual audit. Baseline figure
6. The ISMS complies with the
6.1 Number of non-conformities
ISO 27001:2013 standard and is
identified by certification auditor
regularly
that have not been addressed Less than 2
reviewed and continuously
improved 6.2 Evidence of findings and 100% of entries to have
observations from audits being Preventive Action & Review
recorded and progressed via an Date populated; Close Date
NCR Log is no later than Review Date.

16 of
7.0 Support
7.1 Resources
Refer to the Information Security Roles policy (A6.1.1) to view the resources
available for delivering the ISMS.
7.2 Competence
The minimum level of IS-related competence required for the specific roles listed
above is shown in Table 7.2.1.
Table 7.2.1 IS competences for specific roles

Role Minimum Competence
IG Management Group Chair  Understanding of the requirements of ISO27001
 Understanding of the requirements of ISO27001
 Understanding of the requirements of the NHS Data
UoL Senior Information Risk
Security and Protection Toolkit
Owner (SIRO)
 Understanding of the General Data Protection
Regulation (GDPR)
 Understanding of the requirements of ISO27001
 Understanding of the requirements of the NHS Data
IRC Information Governance
Manager
Regulation (GDPR)and other data protection laws
 Understanding of all legislation governing data
protection and information handling
UoL Data Protection Officer  Awareness of the requirements of ISO27001
 Awareness of the requirements of the NHS Data
Regulation (GDPR)
Data services team  Understanding of the requirements of ISO27001
 Ability to use the tools and techniques to protect
information
 To have undertaken UoL IS essentials training
 To have undertaken UoL IS advanced training
Users and Researchers
 To have completed other risk based training as
appropriate
7.3 Awareness
For the ISMS to be effective the ISMS and good IS practices must be communicated
and understood by all those to whom it is relevant. Where documents apply to all
IRC users these are:
1. Published on the Researcher Portal (Intranet).

2. Made available at induction.
3. Published as appropriate.

17 of
4. Reminded through annual IS compliance refresher notices.

5. Communicated by email or the IRC portal as cyber threats/risks are
identified by the UoL Assurance group or by external groups.
Everyone has a responsibility for being appropriately competent in Information

Governance. Refer to IS Awareness, Education and Training (A7.2.2).
7.4 Communication
This policy defines the controls for formal communications regarding IS that relates
to elements within the scope of the IRC ISMS. The purpose is to ensure that relevant
issues of IS, (in particular new policies or significant changes) are communicated to
relevant individuals with clarity and consistency to ensure that people have the
necessary capacity to carry out their responsibilities for IS.
7.4.1 Communication Recipients and Triggers

IS management communications are provided to those who are directly affected by
the matter being communicated or with responsibilities for any affected procedures.
7.4.2 Communication Scope

IS management communications of new and updated policies should be
communicated in a manner that is clear and comprehensive and may include some
of the following:
1. The purpose or objective of the policy.

2. Description of the policy as it relates to the recipient.
3. Responsibilities for implementing and managing the policy.
4. Feasible timeframe for implementation.
5. Review plan for the policy.
6. Opportunity for queries and comments.
However, information must not be disseminated where doing so may facilitate a
compromise to IS.
7.4.3 Communication Responsibilities

Effective communications about IS are assigned to the following roles:
7.4.3.1 The Information Governance Management Group (IGMG):

1. To communicate the importance of effective IS management and of
conforming to ISMS requirements, and the consequences of not doing so.
2. To review communication policies for making information available to
relevant people in a timely manner and via appropriate channels.
3. To ensure the DST has the relevant information.
4. To maintain open channels of two-way communication and to listen to
feedback and comments from researchers.

18 of
7.4.3.2 The IRC Information Governance Manager:

1. To maintain the ISMS.
2. To carry out internal audits of policies processes and systems relating to
the ISMS or to the NHS Data Security and Protection Toolkit.
3. To ensure policies, procedures are updated and communicated to those
who need to know.
4. To maintain risk, non-conformity, incident and vulnerability registers.
5. To communicate risks and issues to the LIDA SMT and the IGMG that
could undermine IS of the IRC.
6. To communicate good security practices to IRC users.
7. To monitor and record progress against outstanding incidents and actions,
vulnerabilities, risk treatments or security improvements.
7.4.3.3 The IRC Data Services Manager:

1. To communicate regularly with their team, preferably face to face, to ensure
information relating to the ISMS is available, understood and up to date.
2. To ensure they and their team are maintaining ISMS records.
3. To listen to feedback from their team and users and to keep the IGMG
informed.
4. To communicate the outcomes of any IRC Risk Assessment or Risk
Treatment Plan.
7.4.3.4 The DST:

1. To ensure they are informed and have access to information in order to be
as effective as possible in their role.
2. To ensure they are maintaining good communication practice as set out in
this document.
3. To keep line managers, colleagues and users aware of up to date
information.
4. To maintain user, project, information, data sharing agreements and
physical and/or virtual assets inventories.
7.4.3.5 IRC Users:

1. To keep the DST informed about their needs for data handling.
2. To address any IS requirements raised with them by the DST and to
communicate the outcome (for example, by completing any IS training).
7.4.4 Communication Channels

The channel to be selected for communication is that which will most speedily and
comprehensibly convey the relevant information.
7.4.5 Audience
The audience will influence the channel to be chosen. Consider the following:

19 of
1. Location – a shared office may restrict what can be communicated. A

remote user may limit the channels available for use.
2. Role – a person’s role and relevant expertise may influence whether a
channel more conducive to interaction and feedback is appropriate.
3. Impact – directive conversation, training or detailed documentation may be
more suitable than site notifications for people whose daily working is highly
affected by the issue.
7.4.6 Communication actions

Where actions are triggered as a result of IS management communication, these
should be followed up with a formal written notice of agreed action, and completion
date. Where actions arise from communication between DST staff, no formal notice
is required.
7.5 Documented Information
7.5.1 General
Documents must be developed, maintained and archived in the ISMS folders and
standardised, as set out in the clause on Document Format (7.5.2)
7.5.2 Creating and Updating

A document template is used to create standardised policies and procedures that
can be accurately cited. The documents contain the following:
Section Information Required

 IRC and UoL header
Front page
 Document title, version number and date of version sign-off
 Header: IRC logo and “Information Security Management” (Arial,
size 10)
 Footer: Version number, published date and classification “Protect”
 Document information:
a. Reference: short name for referencing the document
Document b. Category that the document is a part of
information c. Title
page d. Purpose
e. Owner
f. Author
e. Compliance requirement
f. Review Plan
g. Related Documents.
Version History must include the version number, the updater, a change
description, the sign-off name, role and the date of approval.
 Page Number
 Version
Footer  Title
 Published date
 Classification ( Normally Protect)

20 of
 Header: IRC logo and ‘Information Security Management’ (Arial, size

10)
 10. Footer: page and version number and date of version sign-off
(Arial, size 10)
 Numbered sections in the IRC Header format
 Purpose section: introduces the scope and objective of the
document
Main
 Applicability section: describes who the document relates to
Document
 Acronyms are fully written prior to first use, excluding first use within
a document title or header
 IRC and other UoL documents are linked to where referenced
 External references are quoted with a superscript numeric (e.g. 1)
and are listed in footnotes
 The University of Leeds is written in the first instance and
subsequently referred to as UoL
7.5.3 Control of Documented Information

This applies to policies and work instructions:
1. New unapproved policies or work instructions start with version 0.
2. The first approved document will begin with version 1.0.
3. New proposals, data management plans and risk assessments from
researchers will always start at Version 1.0.
4. To edit an existing document, open it and save it as the same file name
with the next version number at the end of the name. For example “work
instruction-v1.1.docx”.
5. On completion the version number, date, change makers name and
change description is added to the version control table (see the example
table below).
6. For work instructions another member of the team must test the
instruction.
7. The IGM or the DST Manager will approve work instructions and the date
of approval must be recorded. Changes to policies are drafted by the IGM
or DST Manager and forwarded to the IGMG for approval.
8. Following approval the word document must be saved as a PDF to
prevent change.
9. The old work instruction or policy should be moved into the archive folder.
7.5.4 Document publication

PDFs of the current ISMS documents are disseminated freely. These publications
are made available to all users, staff via the intranet and data providers on request..
The read-only PDF versions of ISMS policies can be printed, copied or linked to as
required.
Documentation feedback is escalated to the IGMG and forwarded to relevant

document Author(s).

21 of
8.0 Operation
8.1 Operational Planning and Control

Security processes are planned and conducted through processes agreed by IGMG,
which oversees the operations within the IRC and approves amendments to its
policies.
Planned maintenance schedules ensures there is a consistent and regular

maintenance window for service and system updates.
Control is maintained through the use of work instructions that provides operational
standards for the DST to action.
Change management ensures the stability of systems by the identification and

mitigation of associated implementation risks, minimisation of disruption to research
operations caused by system outages, and consequently improves upon the
services and service levels provided to the organisation. The IRC has adopted the
UoL standard for change management which is referenced in the IRC Change
Management Policy (A.12.1.2).
8.2 Information Security Risk Assessment

An IRC risk assessment considers all elements within the ISMS scope that handle
information and all factors that contribute or pose a risk to IS.
Data confidentiality, integrity and availability are the criteria against which risk is
evaluated. The IRC must manage risk so as to remain compliant with relevant
legislation and provide assurance that risks related to personal information are
managed according to internal and external standards. The assessment process and
justification for the application of risk controls will be captured in a risk log and
retained for scrutiny. Separate data protection risk assessments are carried out for
each project. Refer to the Information Security in Project Management Policy
(A.6.1.5). ISMS risks are calculated by the equation Risk = Likelihood x Impact:
Scale Likelihood Narrative Example

A risk that is almost certainly going to Changes to the value of sterling affecting
4
arise (>90%) buying and selling of goods abroad.
3 A risk that is likely to arise (50-90%) Increased costs of research
A possible risk that could happen (10-

2 Major power cut on campus
50%)
1 A risk that is unlikely to occur (<10%) Terrorist attack on the UoL

22 of
8.2.1 Impact Definition:
Scale Operations / Compliance Reputation Financial loss

Business or cost
Continuity
Critical breach Long term
Severe impact
leading to negative publicity
4 on all services > 5% of
closure of the in national and
Critical University-wide turnover
University or international
or in the IRC
IRC service media
Long term
Severe impact negative publicity
Major breach
on some (but in national media
leading to a
3 not all) services or short-term 2-5% of
suspension or
Major delivered by the publicity in turnover
partial closure
University (or national and
of the IRC
by the IRC) international
media.
Significant
Significant Short term
2 breach leading 1-2% of
impact on negative publicity
Moderate to reprimand or turnover
services in regional media
sanctions
Minor only, no
reprimand or
1 Minor impact on < 1 % of
sanction (save No bad press
Minor services Turnover
improvement
notice)
8.2.2 Risk assessment scope

The scope includes anything that could affect IRC systems that handle sensitive
information which may include, but is not limited to:
1. Site, suppliers and organisational structure.
2. Hardware, software and networks and their supporting infrastructure.
3. Business processes and activities.
4. Data, analytical outputs and information.
5. ISMS non-conformity, vulnerability and weakness.
5. Legislation.
6. Personnel.
7. DSA’s, and other 3rd party contracts or licenses.
A Separate risk assessment process is carried out for each research project based
upon its data handling requirements and following the Project_Risk_Assessment
work instruction. The assessment will influence the controls that are needed to de-

23 of
identify personal data and any conditions set by a data sharing contract. Refer to the
Information Security During Project Management Policy (A.6.1.5).
8.2.3 Risk log

If there is risk of harm to individuals, a risk of breach of contract or where a risk could
hinder the operation of a project, the IRC or the UoL, the risks must be assessed and
logged in a risk log. Refer to the registers on SharePoint.
8.2.4 Frequency of risk assessment

Existing risks are assessed no later than the review date or at least every 6 months.
New risks are considered if any of the following conditions arise:
Review the Risk Assessment:

After changes to infrastructure
After changes to processes
Following the identification of a weakness, non-
conformity or incident
After changes to legislation
After changes to data sharing agreements or
contracts
When new projects are being developed, but prior
to becoming active in the IRC. Refer to the
Information Security in Project Management Policy
(A.6.1.5)
8.3 Information Security Risk Treatment
8.3.1 Applicability
The Information Security Risk Treatment policy apply to users who treat IS and
governance risk within the scope of the IRC ISMS. They are also for use by the
IGMG, the IG Manager and the Data Protection Officer who oversee and prioritise
risk treatment plans and own residual risk.
8.3.2 Risk treatment

Risk treatment involves reviewing, prioritising and implementing the risk-reducing
controls recommended from risk assessments. Risk treatment is cycle of
assessment and implementation, triggered by system, an incident, non-conformity,
legislation or improvement following an annual ISMS review. If relevant controls exist
these should be applied to minimise the risk. Further treatment in the form of new
controls should be submitted to the IGMG for approval. See Figure 8.3.2.1.

24 of
Figure 8.3.2.1 Flow chart for risk treatment
While it is improbable that all risk are eliminated, the IGMG will ensure that the most
appropriate controls are employed to reduce risk to an acceptable level using the
least-cost approach, with minimal adverse impact to the IRC. The IGMG are
authorised to choose to “Accept a risk” if appropriate.

25 of
8.3.3 Risk Treatment Options

The following treatment options can be applied to mitigate risk:
1. Risk Acceptance: Make an informed acceptance of the risk and continue

system operations or apply controls to lower the risk to an acceptable level.
2. Risk Avoidance: Eliminate the risk cause and/or consequence (e.g. forgo
certain system functions or shut down the system when risks are identified).
3. Risk Managed: Controls in place to minimise the adverse impact of a
threat’s exercising a vulnerability.
4. Risk Treatment Plan: Develop a risk mitigation plan that prioritises,
implements, and maintains controls.
5. Risk Transference: Transfer the risk by using other options to compensate
for the loss.
The situation will determine which risk treatment options are appropriate – none are
mutually exclusive. The IGMG approves the appropriate option for each risk and the
prioritisation of treatments, based on the risks that have been assessed to pose
greatest risk to IRC objectives. Any vendor security products and administrative
measures to be utilised are also selected based on compatibility with IRC objectives.
8.3.4 Residual risk

Having implemented the selected controls, the residual risk will be recalculated in the
ISMS Risk log.
8.3.5 Risk ownership and review

The IGMG will review the risk log as part of the IGMG meetings. The IGM is
responsible for ensuring that the DST conduct risk assessments and implement risk
treatment plans. The IGMG Chair takes overall accountability for risk levels,
assessment and treatment.
9.0 Performance Evaluation

9.1. Monitoring, Measurement Analysis and Evaluation
Individual IRC processes are controlled and monitored, as per the appropriate IS
Management policies and measurement data is collated, analysed and reported by
the Information Governance Manager as follows:
 Results from internal and external audit findings and reports and actions
identified in the non-conformance log.
 Measurements taken to prove the ISMS objectives are being met.
 Feedback from researchers, staff and 3rd parties.
 Issues reported in the Incident Log.
 Reports from Vulnerability & Penetration Logs.
 Risk Log.

26 of
 Changes in legislation.
The evaluation process shall document any decisions and actions relating to:
 An improvement of the effectiveness of the ISMS and its processes.

 An update of the Risk Assessment and Risk Treatment Plan.
 A changes to any ISMS procedures and controls in response to, for example,
changing business requirements, contractual arrangements, legal/regulatory
requirements, etc.
 The Identification and approval of resource needs.
 Changes to the information that is gathered to produce the KPI reports.
The IGMG meets quarterly to review the measurement data, internal and external
audit findings and prioritise improvement.
9.2 Internal Audit

IRC internal audits are conducted as per the audit schedule to provide information on
whether the ISMS:
1) Conforms to Internal and external security requirements.

2) Meets the requirements of ISO27001:2013.
3) Is effectively implemented and maintained.
The IGM shall:
a) Plan, establish, implement and maintain an audit programme, including the

methods, responsibilities, planning requirements and reporting. The audit
programme shall take into consideration the importance of the processes
concerned and the results of previous audits.
b) Define the audit criteria and scope for each audit.
c) Select auditors and conduct audits that ensure objectivity and the impartiality
of the audit process.
d) Ensure that the results of the audits are reported to relevant management.
e) Retain documented information as evidence of the audit programme(s) and
the audit results.
9.3 Management Reviews

The IGMG reviews the ISMS documentation: the Statement of Applicability, the
ISMS Clauses and the controls.
Minimum attendance at each meeting is: the Chair or Deputy Chair, DPO, IRC IGM,
DST Manager, a representative from a partner or key service user, the UoL Ethics
Boards and IT Service Management (or substitutes). Attendance from further IRC

27 of
core users, data sources and UoL IT Security Group, Information Governance Group
and Legal Affairs Team are encouraged but optional depending on the agenda.
Reviews consider changes to external standards, industrial best practice and the
needs of service users.
The standard agenda includes:
1. Actions since previous reviews.

2. Summary of IS performance and objectives.
3. Internal audit update and review of new non conformities or observations.
4. IS incidents and corrective actions.
5. Summary of the risk log, issues and treatment.
6. ISMS review.
7. Opportunities for continual improvement.
8. Annual: review the relevance of the group, its management or
membership.
9. Any other business
All members are invited before each meeting to submit agenda items and supporting
papers. The agenda and previous minutes are circulated ahead of each meeting.
Meetings are documented in terms of their occurrence, attendance, topics

discussed, agreed decisions and assigned actions.
The outputs of the management review shall include decisions related to continual
improvement opportunities and any needs for changes to the ISMS. The
organisation shall retain documented information as evidence of the results of
management reviews.
9.3.1 Review Initiation

Meetings occur quarterly, but are also triggered if a significant changes occur that
changes the risk, ISMS scope or undermines any current systems that are in place.
9.3.2 Applicability
IGMG can request to review any clause or control that is in scope of the ISMS.
9.3.3 Audit Schedule

An annual audit schedule can be found on IRC SharePoint Site.

28 of
10.0 Improvement
10.1 Non-Conformity and Corrective Action

The non-conformity and corrective action policy covers all identified non-conformities
and corrective actions associated with the IRC and covers:
 Identifying and controlling non-conformities.

 Determining the cause(s) of non-conformities.
 Taking the appropriate corrective action to eliminate non-conformities.
 Recording the action taken.
 Reviewing the effectiveness of the corrective action taken in accordance with
the requirements of the International Standards 27001:2013.
 Communicating the action with interested parties.
10.1.1 Reporting
If a non-conformity is identified, by whatever method (e.g. risk assessment, audit, or
post-implementation review), the user must report the issue through the Reporting of
Security Weaknesses policy (A.16.1.3). If a breach of IS was discovered then refer to
the Reporting Information Security Events policy (A.16.1.2).
10.1.2 Recording
If a non-conformity is identified during an internal or external ISO27001 audit, the
issue should be recorded in the ISMS Non Conformities Log and reviewed for action.
10.1.3 Corrective Action

Corrective action can be defined as the action taken to rectify something that has
gone wrong or is not performing in line with expectations.
Corrective actions, such as immediate replacement and verification of non-

conforming system or process, are a priority order to minimise the risk to the UoL.
Where issues are likely to take time to resolve, regular review dates must be set
within the Non-Conformities Log.
Following a corrective action, the non-conformities log must be updated with the root
cause, the corrective action taken and the date of closure.
10.2 Continual Improvement

The IG Manager and the IGMG uses audit results, corrective and preventative
actions, risk assessments, analysis on incidents, monitored events and management
reviews of key performance indicators to continually improve the ISMS and the
technical security controls that are in place.

29 of

Information Security Management System: Integrated Research Campus

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Security Management System: Integrated Research Campus

Uploaded by

Copyright:

Available Formats

Integrated Research

Information Security Management

ISMS Mandatory Clauses

Reference ISMS 27001

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

0.1 Introduction .....................................................................................5

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

7.0 Support .......................................................................................... 17

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

10.0 Improvement ............................................................................... 29

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

The IRC Information Security Management System

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

Figure 1.0.1: Representation of the IRC Services (yellow), Governance (blue)

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

1.2.2 Infrastructure out of scope:

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

1.3.2 People out of scope:

1.5 Information Assets

1.5.2 Information out of scope:

1.6 Scope Interplay

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

2.0 Normative References

3.0 Terms and Definitions

4.0 Context of the Organisation

4.1 Understanding the Organisation and its Context

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

Data being captured includes geographic, socio-economic, consumer, social, patient

4.2 The Needs and Expectations of Interested Parties

Our interested parties include, but not limited to:

1. Information Governance Management Group (IGMG)

4.3 Determining the Scope of the Information Security Management

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

4.4 Information Security Management System

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

Where additional operational detail is required, these can be can be found in

5.1 Leadership and Commitment

1. The UoL Information Governance Group.

1. Information is protected from a loss or breach, of confidentiality, integrity

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

The policies are reviewed at least annually or following a significant change to

5.3 Organisational Roles, Responsibilities and Authorities

Figure 5.3.0 Three key roles in the IG Management Group

High-level responsibility for IS across the IRC, through its

5.3.1 Information Governance Management Group Chair

5.3.2 The Data Protection Officer (DPO)

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

5.3.3 Information Governance Manager (IGM)

5.3.4 Accountability and lines of reporting

In the context of the UoL Information Governance structure, the

The DST is accountable for delivery of the ISMS, under the

Employees, users and contractors must adhere to the ISMS.

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

6.1 Actions to Address Risks and Opportunities

6.2 Information Security Objectives

1. Information is protected from a loss or breach of confidentiality, integrity and

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

Table 6.2.1: IS Objectives

ISMS Objectives KPIs Target

Page Version 2.1 Published 24/09/2019 Classification: IRC-Protect

Table 7.2.1 IS competences for specific roles

1. Published on the Researcher Portal (Intranet).