Following our earlier post that epilab-SS service now meets the NHS criteria for information security and governance (Level 2). We can confirm that AIMES Grid Services CIC Ltd, the data centre provider for epiLab-SS, have recently been notified that their submission to NHS Information Governance Toolkit team has been reviewed and found to meet their requirements. This means that, in addition to their pre-existing ISO-27001 certification and G-Cloud Assured Services, AIMES  now also meets the NHS criteria for information security and governance (Level 2).

AIMES status can be viewed here

epilab-SS status can be found here.

This will add to the dual certification (cloud/institution) model of information security assurance that we have been collaborating on and we look forward to improving it even further during future projects.

The epiLab-SS secure service has recently been notified that it has successfully achieved “Level 2” compliance to the NHS information governance toolkit. This toolkit, based on the ISO-27001 information security standard, is a standardised assurance process that is mandated for all NHS organisations. Universities and other academic research groups have recently been required to adopt the toolkit to address aspects of personal information handling, in particular where access to unconsented identifiable datasets. More information on the epiLab-SS compliance can be found at the following link.

On Friday 28th September 2012 the epiLab-SS secure research environment passed its Stage 2 assessment as meeting the requirements of the ISO-27001 standard for Information Security. The resulting certificate, due to be formally issued by LRQA within weeks, is the result of rigorous third-party audit of the epiLab-SS Information Security Management System (ISMS). The auditor followed up his initial (Stage 1) assessment of the structural elements of the ISMS to examine in more detail the dynamic functional elements of the system and its wider context within UCL, involving interviews with a range of senior management personnel.

A critically important element in the process involved the demonstration that the ISMS design had been adapted to meet the needs of the domain of epidemiology research,  handling personal identifiable and sensitive data safely and securely. Our application of data management plans as a mechanism for assuring engagement of researchers with the ISMS has proved to be invaluable in this respect. These plans have allowed researchers to clearly enumerate all information assets and highlight concerns, vulnerabilities and legal obligations at key stages during their use of the service.

This achievement is highly significant since it demonstrates an effective and cost-efficient approach to provision of secure data handling services within an academic context and means that UCL has become one of the few academic institutions in the UK to provide independent assurance of information security provision for research datasets. We have been able to implement a secure private cloud-based service, using an accredited  UK government G-Cloud data centre (AIMES Grid Services CIC Ltd) with end-to-end ISO-27001 certification.