HSJ Partners logo

This is paid-for content from our commercial partners. Find out more

The global pandemic caused by covid-19 has taught us many things about the way we live and work. For NHS Greater Manchester Shared Services, it put into practice months of hard work and demonstrated the value of ISO 27001 certification.

Sponsored bybmtrada-Logo-2018-Light-RGB

Eighteen months ago, Phil Scott, IT security manager at NHS GMSS, and his team made the decision to work towards ISO 27001 certification with leading certification provider, BM TRADA. The certification was awarded in mid-June, by which time the benefits of the process were already clear to see.

Working as a partner in the health and care system, GMSS customers include Clinical Commissioning Groups, GPs and NHS Foundation Trusts. With a number of major data breaches in the healthcare industry hitting the headlines, it was clear that data protection was an area of significant concern for their clients. While many organisations in the industry looked to a cyber training provider for guidance, Phil decided to take the IT security of the organisation even further.

“I was brought in to improve IT security, and I wanted to make sure we were leading the way in this area,” he explains. “Certification would prove to our customers how seriously we deal with security and give confidence in our services. We wanted to offer the highest level of security, so we looked to ISO 27001, making us one of the first NHS organisations to do so.”

ISO 27001 is an information security management system, which outlines a framework of policies and procedures to mitigate the risk of a security breach. Covering more than just IT and cyber security, the certification provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS, and covers all aspects of an organisation’s information risk management process.

“With ISO 27001, everything is considered, including policies and ways of working,” explains Phil. “The auditor from BM TRADA who undertook the first audit wasn’t there just to check what we were doing; he was professional, knowledgeable and extremely thorough, and crucially, he offered advice and guidance for the second audit, which was so useful.”

When the initial audit took place in February 2020, the team could not have anticipated the challenges that would lie ahead for them. Mohamed Fadil, Risk, Audit and Business Continuity manager at GMSS explains, “We knew ISO 27001 certification would make us leaders in our field, but we didn’t realise what a difference it would make to our organisation in the coming months as we faced a global pandemic.

“With a business continuity management system and risk assessment framework in place, we started planning for covid-19 much earlier than most. At the end of February, there were whisperings of an epidemic heading our way, so we undertook a tabletop exercise to see what would happen if there was an outbreak in the UK and if there were confirmed infections in our offices.

“This outlined the weaknesses that we needed to address, resulting in 13 learnings to consider. For example, we identified that we would need to increase our remote access capacity, which brings its own risks. We anticipated some of these potential problems and dealt with them in advance. By the time the Prime Minister announced on 23 March that everyone should stay home, we had a process in place to act immediately. All 350 employees could work from home safely the following day.”

As well as its employees, GMMS needed to consider the 13,000 service-users through its clients. While others around the country were placing emergency orders for laptops and equipment and discovering that stock was low, GMSS was able to deploy 2,300 laptops and many more hardware kits between March and June, and increased capacity from 2,000 concurrent users to 10,000 – which was enough to cover the required number of people to use its services at any one time. Businesses who needed support most urgently at this incredibly challenging time were able to continue to work seamlessly.

“Both our staff and customers were able to work from home quickly and easily, while other parts of the health care system were still struggling months later. During the covid-19 period, feedback from our customers has been overwhelmingly positive, boosting team morale at a really difficult time.”

As the experience at GMSS demonstrates, a key benefit of ISO 27001 certification is business retention and development, as it provides assurance to customers, employees, stakeholders and the wider industry. It also helps organisations demonstrate their willingness to comply with legal obligations, as well as potentially preventing fines, legal repercussions and reputational damage resulting from security breaches.

“For me, the most important thing about ISO 27001 is the culture change that it instils,” explains Phil. “Other certification can just be a rubber stamp exercise that everyone ticks off and then forgets about, but with ISO 27001, it’s different. We all have to keep thinking about it and we all understand why we’re doing it.”

Mohamed adds, “Processes and policies are great, but you need people to buy into them to really succeed. ISO becomes part of the ‘business as usual’ and changes the way that everyone works as a result. It has certainly changed the culture when assessing risk. Our team understands the value of what we’re doing, and once the framework was in place, everyone could see how useful it was; making things much easier and safer all round.”

Despite the onset of covid-19 and the subsequent lockdown of the country, the final part of the audit was able to take place. Phil explains, “the process was really straight-forward, but we did have a challenge to complete it, as the final audit had to be done remotely. However, the team at BM TRADA were fantastic, and we were able to demonstrate enough through video calls for it to work. The audits were very well organised and scheduled to perfection, so thankfully, we managed to make it work.”

Adam Colyer, Business Development manager at BM TRADA adds: “Becoming certified to ISO 27001 demonstrates that an organisation has been assessed at a globally-recognised standard and has assessed its risks and incorporated procedures to protect its information. While there is an initial investment of time and money, it is far less than the time, cost and reputational implications that will be incurred as a result of a preventable breach.

“Our team has many decades of experience and provides a certification process that is thorough and robust, striving to provide clarity and support along the way. And using a UKAS-accredited certification body like us ensures the ISO 27001 certification will be readily accepted by many regulators, suppliers and purchasers across the world.

“With a significant rise in people working from home, cyber security is open to more breaches than ever before. As we all re-consider the safety of our workplaces, businesses should also pay extra attention to the safety of the data that they hold.”

BM TRADA, part of the Element Group, specialises in providing a comprehensive range of independent testing, inspection, certification, technical and training services. It helps organisations to demonstrate their business and product credentials and to improve performance and compliance.

BM TRADA helps customers ensure that the management systems, supply chain and product certification schemes they operate are compliant and fit for purpose.