The personal information you store and process must be kept secure. Andy Mills discusses the benefits to your business of gaining ISO/ IEC 27001 certification…
In an environment where trusting technology to store, manage and share data is the norm, and data storage applications such as cloud-based systems develop year-on-year, introducing a robust information security management system is of increasing importance to nursery owners.
ISO/IEC 27001:2013 is the latest version of the global standard for information security, published in 2013. It defines a risk-based management system for protecting information and information-processing facilities. Although the title is ‘information security management system’ it includes requirements for physical security as well.
It is essential for any organisation, no matter its size, to proactively address information security issues, and this ISO standard is a first line of defence against hackers, viruses and the theft of intellectual property. It ensures that your information security is under control through specified and audited management systems. It also raises awareness of possible threats to information and how you can put procedures in place to protect it.
A UKAS-accredited certification to the standard demonstrates that your organisation is following international information security best practices, that it has been audited by an approved certification body and ultimately provides children and their parents with the reassurance that their information is protected.
To implement an effective information security management system, you should begin by understanding its context and the internal and external issues that can affect the organisation and the confidentiality, integrity and availability of the information you hold about your children. You will also need to identify the interested parties and your assets (tangible, intangible assets including data, particularly sensitive and personally identifiable data). Once they have been identified you can conduct a risk assessment and identify the security controls needed.
Consider the ‘rule of three’, i.e. ensure you have three layers of protection between the asset you need to protect and the threat. A multilayered information security strategy can apply equally to data and the information-processing facilities, which are the computers and filing cabinets where data is processed/stored. Your communications infrastructure, such as WiFi, LAN, Broadband etc. also needs to be secured.
A crucial element of ISO/IEC 27001 for educational institutions is its information security processes for handling children’s data, such as name, address, home contact details, next of kin and medical information such as allergies, etc.
On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. It makes a number of specific provisions in relation to the handling of children’s personal data and will introduce potentially massive fines for a data breach. Note that under GDPR ‘personal data’ includes
● racial or ethnic origin,
● religious or philosophical beliefs,
● genetic data and biometric data,
● health,
● ID number, and
● location data.
You’ll find more information on implementing GDPR in your setting here.
Compliance with obligations, applicable legislation and regulation is important for all organisations, including nurseries. ISO/IEC 27001 embraces governance, risk and compliance in its requirements for an information security management system.
Many cases of data theft are a human resources issue. The ISO/IEC 27001 security controls cover HR functions such as roles and responsibilities of employees, contractors and third-party users. It requires you to have the processes needed to perform security screening and background verification checks on all candidates for employment, contractors and third parties, and have both robust terms of employment in place and termination processes to ensure that assets are returned and access rights removed.
It’s also important to raise awareness of information security risks within the nursery and to educate personnel within the organisation. As long as the security control systems are in place, you can develop datasharing control among staff to improve processes, so there are many benefits.
Andy Mills is an ISO auditor and founder of Applied Risk Management Ltd.