Congratulations to everyone involved with achieving ISO 27001 certification for Professional Services, an international standard in Information Security Management.
The certification marks a significant achievement, and reflects efforts over the past 18 months to build a holistic information security framework encompassing people, policies, and technology.
The programme of activities has involved colleagues across Professional Services including Finance and Procurement, HR, Campus Services, the University Secretariat, and DDaT. It has been led by Andy Fincham, Chief Information Security Officer (CISO), and Kelly Macrae, Information Security Transformation Manager.
A special thanks also goes to those directly involved with the external audit.
What is ISO 27001
ISO/IEC 27001 is an international standard for Information Security Management Systems (ISMS).
It provides a systematic, risk-based framework to help organisations protect their sensitive data, manage cyber risks, and ensure business continuity.
Key Components include:
- The ISMS: A central framework of policies, procedures, and controls that manages an organisation's information risk.
- Risk Assessment: A requirement to systematically identify, evaluate, and mitigate potential threats to their data.
- Annex A Controls: A comprehensive library of 93 security controls (covering organisational, people, physical, and technological areas) that organisations can implement to reduce information security vulnerabilities.
Why it matters
Achieving and maintaining our ISO 27001certification brings benefits such as:
- independent verification that we follow global best practices for information security
- a structured approach to meeting regulatory compliance such as data protection and privacy
- a competitive advantage when developing collaborations and partnerships
What’s next
Certification is granted for 3 years (subject to successful yearly surveillance audits of our ISMS), so we’ll continue to mature our approach to Information Security across Professional Services (PS).
In addition, we’ll be initiating work to achieve subsequent certification in non-PS areas.
Your role in keeping information safe at Bath
Regardless of our certification status, protecting our information is everyone’s responsibility, so please continue to:
- Classify and label information you create to be shared (including labelling older files as you use them), and protect it based on its sensitivity
- Report phishing, ideally using the Outlook ‘Report message’ button. Remember, deleting it protects you, but reporting it protects everyone
- Report other suspicions, or incidents where you’ve followed a link in a phishing email, by either:
- emailing IT-Security@bath.ac.uk
- using the TOPdesk self-service portal
- contacting the Campus Security team for out of hours IT emergency support.