Stage 1 ISO27001 audit: epiLab-SS passes first hurdle

On Friday 13th July 2012 the epiLab-SS secure service underwent a Stage 1 ISO27001:2005 audit by LRQA. The auditor examined the associated Information Security management System that has been developed in conjunction with our cloud-based service. The service is already hosted within a ISO27001 certified data centre (AIMES Grid Services CIC Ltd) offering thin-client access to virtual desktops. Our risk assessment identified the need to develop a formal ISMS in respect of information security practices for users of this service at UCL. This ISMS is an example of the use of data management plans to underpin the risk assessment and continual improvement process for information security and we have chosen to adopt the MRC Data Management Plan template as a standard approach for all registered research projects.

Although this is only the first of two stages of initial audit, the signs are looking good. We satisfied the auditor that our ISMS contained no major non-conformities and, as such, was suitable for progressing to a Stage 2 audit in late September 2012.  A successful audit at Stage 2 then this will mean that the epilab-SS system will be certified as ISO27001 compliant, demonstrating an effective model for use of cloud-based secure services for research datasets that could be replicated in other university research units.