ISO 27001 Internal Audit Case Study
Bleaklow Ltd is a mature Information Management & Technology provider for services and technological solutions to over 100 NHS organisations throughout the UK.
Bleaklow Ltd utilise a Microsoft Exchange email system which they have developed to a secure specification and wanted to provide this email service to their clients as an alternative to the secure NHS 2 mail system that the NHS provides.
In order to be able to utilise and provide this email service for communicating confidential data Bleaklow are required to comply with the NHS ISB 1596 Secure Email Specification.
The NHS ISB 1596 Secure Email Specification defines the minimum non-functional requirements for a secure email service for the storage and transmission of patient identifiable data by an email system.
The requirements of NHS ISB 1596 state that health and care organizations must operate their email service to at least the level of security standard ISO/IEC 27001:2013 and that this must be audited.
The organisation that manage the NHS security HSCIC (Health and Social Care Information Centre) required Bleaklow to engage a suitably qualified company to provide audit assurance that Bleaklow had a suitable information security management system and the necessary security controls in place. Romano Security Consulting were verified by HSCIC as having the skills, experience and qualifications to provide this level of assurance.
Bleaklow have developed an ISMS to manage the security aspects of the Microsoft Exchange email system and Romano Security Consultancy was identified as a company that has the experience to provide an independent ISO 27001 internal audit of the ISMS.
During an initial scoping discussion held in August 2018 Romano Security Consulting provided information about the relevant services that we could supply and subsequently drafted a detailed statement of work which took into consideration the requirements discussed during the scoping discussions.
The statement of work clearly detailed all the resources and costs necessary to meet the client’s stated objective so that they would be able to achieve this without the need to allocate any additional budget and would also be within the tight timeframes specified by Bleaklow.
The scope of the audit was agreed with Bleaklow and covered the Microsoft Exchange email system and assessed the service against the requirements of the following areas from ISO 27001:2013:
ISO 27001 ISMS Framework Sections
4.3 Scope
5.2 Policy
6.1, 8.2, 8.3 Risk Assessment and Risk Management
7.3 Awareness
9.2 Internal Audit
ISO 27001:2013 Annex A Sections
A8 Asset Management
A9 Access Control
A10 Cryptography
A11 Physical and Environmental
A12 Operations Security
A13 Communications
A16 Incident Management
A17 Business Continuity Management
The ISO 27001 audit consisted of face-to-face interviews with key member’s staff such as the Head of Governance and Assurance, IT and Infrastructure Manager and Network Manager and an examination of processes and process documentation.
The audit was completed against the requirements of ISO 27001:2013 and the data reviewed was used to provide an informed ISO 27001 compliance assessment.
Following the audit a detailed audit report was provided to Bleaklow. The report consisted of a detailed summary of the audit, findings and recommendations for corrective actions.
There were a number non-conformances and observations recorded as a result of the audit.
A corrective action plan was drawn up with Bleaklow and Romano Security Consulting and as part of the audit brief Romano Security Consulting were also asked to provide advice on the corrective actions for the non-conformances and observations. The remediation advice largely consisted of recommendations of changes to documentation, processes and controls.
Bleaklow implemented the suggested corrective action recommendations and provided the necessary evidence to close off the non-conformances and observations.
Once all of the findings had been closed off Romano Security Consulting were asked to provide a statement to HSCIC to confirm that Bleaklow infrastructure, processes and controls supporting the secure email system complied with the requirements of ISO 27001:2013 and the NHS ISB 1596 specification.
In October 2018 Bleaklow were awarded the accreditation from HSCIC that they required for their secure email system. Bleaklow are now able to provide their secure email system to their clients and partners. Romano Security Consulting have agreed a contract with Bleaklow to audit their secure email system on an annual basis.