Ensuring secure data: the ISO 270001 standard in practice

Article dated: 15 December 2010

In June 2010 the Archive was certified to meet the rigorous information security requirements of the international ISO 27001 standard. fingerprint

Let's start with the standard itself. ISO 27001 covers all aspects of establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.

This system is actually a series of documented processes that allow an organisation to manage its information security risks. These cover, among other things:

  • asset inventories
  • information classification
  • premises security
  • operating procedures for data security and back-up
  • network and media security
  • access control to internal networks
  • human resources policies

This range shows that this is not simply an exercise for IT staff; in fact, it affects everyone in the Archive.

We started work on a security plan in mid-2008, which evolved into a number of policies and procedures that were implemented and tested during 2009. So, across a range of mostly small

actions — from enforcing visitor sign-ins (premises security) to removing administrative privileges from workstations (access control), from data labelling (information classification) to introducing a confidentiality agreement (human resources) – we made steps towards meeting the requirements of the standard.

Information security consultants guided us through the audit process, and in June 2010 we were successfully audited. We now have monthly meetings to assess threats and incidents which may fall under the requirements of the standard.

The standard applies to all services carried out by the UK Data Archive, including the Economic and Social Data Service (ESDS), the SDS and the Census Registration Service.