On Friday 28th September 2012 the epiLab-SS secure research environment passed its Stage 2 assessment as meeting the requirements of the ISO-27001 standard for Information Security. The resulting certificate, due to be formally issued by LRQA within weeks, is the result of rigorous third-party audit of the epiLab-SS Information Security Management System (ISMS). The auditor followed up his initial (Stage 1) assessment of the structural elements of the ISMS to examine in more detail the dynamic functional elements of the system and its wider context within UCL, involving interviews with a range of senior management personnel.

A critically important element in the process involved the demonstration that the ISMS design had been adapted to meet the needs of the domain of epidemiology research,  handling personal identifiable and sensitive data safely and securely. Our application of data management plans as a mechanism for assuring engagement of researchers with the ISMS has proved to be invaluable in this respect. These plans have allowed researchers to clearly enumerate all information assets and highlight concerns, vulnerabilities and legal obligations at key stages during their use of the service.

This achievement is highly significant since it demonstrates an effective and cost-efficient approach to provision of secure data handling services within an academic context and means that UCL has become one of the few academic institutions in the UK to provide independent assurance of information security provision for research datasets. We have been able to implement a secure private cloud-based service, using an accredited  UK government G-Cloud data centre (AIMES Grid Services CIC Ltd) with end-to-end ISO-27001 certification.