'Implementing a security standard needs a mandate from the top'
Milton Keynes College’s path towards gaining the ISO 270001 information security certificate was fairly smooth partly because we had a mandate from the top and everyone had to get on board, with no exceptions.
Security isn’t just a bolt-on at the college; it’s integrated from the start of any project and working towards ISO 270001 was part of the existing digital strategy.
Before we started the certification process, we had already conducted pen testing, a phishing awareness campaign and moved a lot of staff on to two-factor authentication. Cyber Essentials Plus was also in place, driven by the contracts we have to deliver education in 19 prisons - you can’t apply for a government contract without it.
We also have contracts with other external organisations and apprenticeship employers, all of which are very interested in the security we have in place. We discovered that having these security ‘badges’ was very useful in giving us an advantage in the marketplace.
We realised early in the certification process that we'd need to completely change how we do things across the whole college and that those changes needed to be sustainable.
One of the things about ISO 270001, which can catch you out early on, is that you need to demonstrate management commitment. What the assessors want is a sponsor – someone in the organisation who takes responsibility. I went to our group chief executive officer, who agreed to chair the information security management review meetings, and the involvement of our group chief operating officer was also critical in being able to drive change.
We also made a point of trying to engage the middle managers – and there are 30 or 40 at the college, so this was important. They were each responsible for information security in their areas, so their buy-in was essential.
All credit to those middle managers, who really did make things happen. There was quite a bit of healthy competition between them because nobody wanted to be responsible for the department that stopped us getting the assessment.
Alongside that, we got the right people on the implementation team who could help influence that change. Of course, it helped having the group CEO on the team! She helped bring on board the middle managers, while the estates department staff, who were often walking around the campus, were our eyes and ears.
We had some outside help to achieve the certification, too, mainly in the form of consultants, including an internal auditor who also happened to be an ISO assessor. He wasn’t cheap, but that kind of help is worth its weight in gold.
Writing the policies and physically making things happen we did ourselves.
Pushing out the message
We put a lot of effort into internal communications to promote information security. The communications manager joined the implementation team and we developed a comms plan and identified nine different communications channels to push out our messages. This was not simply about sharing information with staff, it was also showing the assessors that we were actively spreading the word.
We put up digital signs in all staff rooms to display information security messages, the lock- screen image on Windows that usually produces pretty landscapes pictures was changed to show security messages, and we had a series of posters, which were particularly useful for the prisons, where restrictions mean it's not possible to share anything digitally.
For a period of about six months, there was also something about security in the college’s online monthly magazine covering subjects like phishing emails, the importance of having clear desks and strong passwords.
Training and support
All staff did a 90-minute online training package, which is renewed annually, we introduced an information security induction for new starters, we put leaflets on everyone’s desk and the intranet carried all this information, too. We were aiming to continually enforce six key messages until good practice became second nature.
It’s early days, but one of the more obvious positive impacts is down to the clear-desk policy, which has had quite transformational effect on our staff areas – they are decluttered and look really good and feel more comfortable. Our risk profile has also been reduced and this process has also been a huge opportunity for us to get on top of our security assets and work out where our data is, particularly what's held in the cloud.
Managing the cultural change is key and I think we did that. There’s definitely a sense of pride in achieving ISO27001 and we now have a more collective attitude towards information security ownership. It’s moving it away from being the IT thing and makes it everybody’s thing.
We gained the certificate in May a little more than 18 months after we started the process, but ticking that box is not the end of the story because there are always new chapters to add; gaining ISO 270001 requires an ongoing process, so we will have to continually work to maintain and improve information security.
Jonathan Wilson will be speaking about implementing ISO270001 at the Jisc security conference (3-5 November 2020). This year it will focus on ‘building a cyber aware culture together’ and the programme has been expanded to include sessions for all staff members - from network and security specialists, to teaching and learning practitioners. Find out more about cyber security.