The Clinical School Computing Service (CSCS) is delighted to report that the Secure Data Hosting Service, which was introduced two years ago in collaboration with the Information Governance Office to store Sensitive Personal Information for University research studies, has now been awarded ISO:27001 certification, which is a first for any secure computing environment in the University.

Implementation of ISO:27001, the international standard for information security management required the creation of auditable governance and management processes around the technical solution, as well as enabling a secure network connection from the hospital to allow the sharing of medical data with CUHFT, (principally exported from their electronic patient record system EPIC).

ISO 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organisations that have adopted ISO:27001 must be formally audited and certified compliant with the standard, this requires that management:

• Systematically examines the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts.
• Designs and implements a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
• Adopts an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs on an on-going basis.

Certification of the Secure Data Hosting Service has been achieved as part of an ongoing data sharing project with the NHS and significant progress has also been made with the implementation of:

• A data sharing agreement between the CHUFT and the School.
• A full proof of concept exercise demonstrating that data can be securely and accurately managed across the SCM and CUHFT networks.
• A review of the School’s Information Governance Toolkit (IGT) completed to ensure that this will be maintained at a minimum level of prevailing standard.
• A Research Governance Data Committee to provide the necessary information governance oversight.

All of which should demonstrate the School’s continuing commitment to information security management to partners and funders.

The next stage will be for the School to work with our colleagues in UIS to transfer what we have learned from this project and achieve certification for PID to be held at West Cambridge in the High Performance Hub for Informatics (HPHI).