ISO 27001 Internal Audit Case Study
Bleaklow Ltd is a mature Information Management & Technology provider for services and technological solutions to over 100 NHS organizations throughout the UK.
Bleaklow Ltd utilizes a Microsoft Exchange email system which they have developed to a secure specification and wanted to provide this email service to their clients as an alternative to the secure NHS 2 mail system that the NHS provides.
In order to be able to utilize and provide this email service for communicating confidential data, Bleaklow was required to comply with the NHS ISB 1596 Secure Email Specification.
The NHS ISB 1596 Secure Email Specification defines the minimum non-functional requirements for a secure email service for the storage and transmission of patient identifiable data by an email system.
The requirements of NHS ISB 1596 state that health and care organizations must operate their email service to at least the level of security standard ISO/IEC 27001:2013 and that this must be audited.
The organization that manages the NHS security, HSCIC (Health and Social Care Information Centre), required Bleaklow to engage a suitably qualified company to provide audit assurance that Bleaklow had a suitable information security management system and the necessary security controls in place. Sava Cyber Technologies was verified by HSCIC as having the skills, experience, and qualifications to provide this level of assurance.
Bleaklow had developed an ISMS to manage the security aspects of the Microsoft Exchange email system, and Sava Cyber Technologies was identified as a company that has the experience to provide an independent ISO 27001 internal audit of the ISMS.
During an initial scoping discussion held in August 2018, Sava Cyber Technologies provided information about the relevant services that we could supply and subsequently drafted a detailed statement of work which took into consideration the requirements discussed during the scoping discussions.
The statement of work clearly detailed all the resources and costs necessary to meet the client’s stated objective so that they would be able to achieve this without the need to allocate any additional budget and would also be within the tight timeframes specified by Bleaklow.
The scope of the audit was agreed with Bleaklow and covered the Microsoft Exchange email system and assessed the service against the requirements of the following areas from ISO 27001:2013:
ISO 27001 ISMS Framework Sections
4.3 Scope
5.2 Policy
6.1, 8.2, 8.3 Risk Assessment and Risk Management
7.3 Awareness
9.2 Internal Audit
ISO 27001:2013 Annex A Sections
A8 Asset Management
A9 Access Control
A10 Cryptography
A11 Physical and Environmental
A12 Operations Security
A13 Communications
A16 Incident Management
A17 Business Continuity Management
The ISO 27001 audit consisted of face-to-face interviews with key members of staff such as the Head of Governance and Assurance, IT and Infrastructure Manager, and Network Manager, and an examination of processes and process documentation.
The audit was completed against the requirements of ISO 27001:2013, and the data reviewed was used to provide an informed ISO 27001 compliance assessment.
Following the audit, a detailed audit report was provided to Bleaklow. The report consisted of a detailed summary of the audit, findings, and recommendations for corrective actions.
There were a number of non-conformances and observations recorded as a result of the audit.
A corrective action plan was drawn up with Bleaklow and Sava Cyber Technologies, and as part of the audit brief, Sava Cyber Technologies was also asked to provide advice on the corrective actions for the non-conformances and observations. The remediation advice largely consisted of recommendations of changes to documentation, processes, and controls.
Bleaklow implemented the suggested corrective action recommendations and provided the necessary evidence to close off the non-conformances and observations.
Once all of the findings had been closed off, Sava Cyber Technologies was asked to provide a statement to HSCIC to confirm that Bleaklow's infrastructure, processes, and controls supporting the secure email system complied with the requirements of ISO 27001:2013 and the NHS ISB 1596 specification.
In October 2018, Bleaklow was awarded the accreditation from HSCIC that they required for their secure email system. Bleaklow is now able to provide their secure email system to their clients and partners. Sava Cyber Technologies has agreed a contract with Bleaklow to audit their secure email system on an annual basis.