What is available to assist integration and analysis?

The ISO 27001 standard is part of the 27000 series of standards which focus on information security controls. It provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System. This would be within the context of the organisation's overall business risks.

The ISO 27005 is the standard for information security risk management. It is designed to assist the satisfactory implementation of information security based on a risk management approach.

The ISO/IEC 27031 standard relates to the concepts and principles behind the role of information and communications technology in ensuring business continuity. It enables an organisation to measure its continuity, security and hence readiness to survive a disaster in a consistent and recognised manner.

How to inform business practices?

The Employment Practice Code from the Information Commissioner’s Office outlines how employers can comply with the Data Protection Act. It aims to encourage the adoption of good practice which will benefit the organisation.

Another consideration is The Electronic Communications Act 2000. Organisations need to ensure that electronic information is accessed only by those with a need to know it in order to carry out their role.

You will also need to be aware of the need to ensure the retention and protection of any cryptographic keys that have been used to protect records. They may be required for evidence many years later.

Related Resources

•  
  ISO 27000 series of standards
  

  Link to NHS Connecting for Health website regarding ISO 27000 - a range of individual standards, each one targeting the various Information Security controls.

  http://www.connectingforhealth.nhs.uk/systemsandservices/infogov/standards/iso27000
•  
  Information security and risk management
  

  A DH web page with links to various documents including Information Security Management: NHS Code of Practice. This is a guide to the methods and required standards of practice in the management of information security for those who work within or under contract to, or in business partnership with NHS organisations in England.

  http://www.dh.gov.uk/en/managingyourorganisation/informationpolicy/informationsecurity/
•  
  ICO - The Employment Practices Code
  

  Information Commissioner's Office page of resources about data protection. Including a codes intended to help employers comply with the Data Protection Act and to encourage them to adopt good practice.

  http://www.ico.gov.uk/tools_and_resources/document_library/data_protection.aspx
•  
  NHS Information Governance
  

  A best practice guidance that lists the relevant legal and professional obligations management, use and disclosure of NHS and social care information.

  Download file (267.2 KB pdf)

  
  
•  
  ISEB Certificate in Data Protection
  

  Information about a certificate that provides an entry point qualification for those with data protection responsibilities.

  http://www.bcs.org/server.php?show=conWebDoc.2161