| Page Properties | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
|
| Page Properties | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||
|
Background
In the The Business Continuity and Disaster Recovery, Hosting and Infrastructure and Information Governance Standards , there are requirements each contain a requirement for a valid ISO 27001 certificate from a UKAS-registered accreditation organisation, or International Accreditation Forum (IAF) registered accreditation organisation in exceptional circumstances.
Previous versions of the Standard stated that the Information Governance is the most appropriate Standard to house the requirement. The Information Security team will be taking responsibility for the related assurance. The level of this requirement is a ‘SHOULD’, but in fact this needs to be corrected to ‘MUST.’This Roadmap Item covers the changes required for will be upgraded from a SHOULD to a MUST requirement.
Requirement BCDR-2 in the Business Continuity and Disaster Recovery Standard has been identified as a duplicate requirement. Therefore, the duplicate requirement will be removed from the Business Continuity and Disaster Recovery Standard.
Requirement ES4.0 in the Hosting and Infrastructure . The change required for Information Governance is covered in RM183Standard is not always a duplicate of the requirement in Information Governance, as this mandates that the hosting provider holds a valid ISO 27001 certificate. If the Solution’s infrastructure is hosted by a third party, a separate ISO 27001 certificate may be required in addition to that produced as evidence in the Information Governance Standard. This requirement will also be upgraded from a SHOULD to a MUST requirement.
Outline Plan
All Suppliers must be fully compliant by the Effective Date. Suppliers must have completed the Solution Assurance by NHSE.
Summary of Change
Information Governance: Requirement GP-IG-16-2 updated |
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level | ||||||
|---|---|---|---|---|---|---|---|---|---|
All | GP-IG-16-2 | ISO/IEC 27001 Accreditation A valid ISO 27001 Certificate is required from a UKAS-registered accreditation organisation, or IAF registered accreditation organisation in exceptional circumstances. |
|
Business Continuity and Disaster Recovery: Requirement BC-DR-2updatedremoved |
Applicable Contracting Vehicle(s) | Requirement ID | Requirement Text | Level | |
|---|---|---|---|---|
|
|
|
| |
| colour | Red | title | must
Hosting and Infrastructure: Requirement ES4.0 updated |
Applicable Contracting VehicleFramework(s) | Req. ID | Standard | Name | Description | Level | Evidence | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
All | ES4.0 | ISO/IEC 27001 | ISO/IEC 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organisations, regardless of type, size or nature. Note: This requirement is only applicable to Supplier’s who’s Solution is hosted by a non-pre-accredited third party. |
| ISO/IEC 27001 Accreditation |
...
The updated Standards will be added at a later date. Proposed changes can be viewed in the Summary of Change above.
Assurance Approach
Assurance is subject to review of the uplifted Traceability Matrix (TM) Suppliers to provide updated TMs for review by the Compliance SMEs for the applicable Standards.