NHS Professionals (NHSP) work in partnership with hospital trusts to provide a bank of highly skilled temporary staff who want to work flexibly within the NHS. They have over 130,000 registered members and more than 50 NHS client Trusts. Staffing groups they supply include nurses, midwives, doctors and a variety of other high-quality health professionals.As a result of the nature of their business, processing staff, client and candidate personal data means information security is critical. As such the information security management system underpinning the business is key.
When NHS Professionals got in touch with ISMS.online they had two objectives: achieve UKAS certified ISO 27001 quickly and improve their ongoing management of information security. These key business objectives were at the heart of the ISO implementation project and the driving force for achieving certification in such a short time.
Following an exceptionally successful ISO 27001 Project, we spoke with Dean Fields, IT Director at NHSP, to find out why ISMS.online is the best fit for the organisation.
How did NHS Professionals approach InfoSec before using ISMS.online?
NHS Professionals had held ISO 9001 for 7 years and were already compliant with both the NHS Data Security Protection Toolkit (DSPT) and GDPR. Like many organisations, they were documenting their InfoSec in Word and Excel and saving their policies on shared drives. As we often see with organisations using these types of solutions, it is hard to keep them up to date for one standard. So, when you have multiple standards or regulations to follow, the whole system can fall over or become very expensive to maintain. It can also result in practical challenges around collaboration, version control, policy approval and policy sharing. All that can ultimately cause non-compliance and increase business risk rather than reduce it.
“Adding ISO 27001 certification could have resulted in duplicated efforts and policies increasing cost and adding risks, so we sought advice from a consultant who indicated that ISMS.online would help streamline our mature processes and reduce the time taken to certification.”
What was your challenge, what was your driver and how did ISMS.online meet your needs?
NHS Professionals had a new service offering which required them to be ISO 27001 certified within 6 months.
“We liaised with several independent consultants on the most effective way to achieve ISO 27001. We did consider just using a consultant, but we recognised there was a need for an information management system as spreadsheets and shared drives were not up to the job.
Having researched the product ourselves and taking on board what we had been told, we subsequently booked a demo. We explained the nature of the business impact and expressed how time was of the essence. The ISMS.online team demonstrated how the software service, along with Virtual Coach and the Assured Results Method would help us achieve our goal.
The Support team has been invaluable. They helped us migrate data, answered our everyday functionality questions, and their Information Security Experts were on hand to give us one-to-one support.”
Information Security Expert, Simon Taylor, has worked with ISMS.online for many years and has been part of the development of the platform. Capacity, in addition to time, was an issue for NHS Professionals, so Simon also formed part of the invaluable support team that helped NHS Professionals achieve certification quickly.
“ISMS.online is designed to be intuitive, and easy to implement. As such, an organisation shouldn’t have to dramatically change its current working practices. The customer should be able to easily adopt or adapt the content provided in the platform or add their own existing policies and controls. This integration approach allowed NHS Professionals to quickly take the next step in their ISMS. They used ISMS.online to formalise their approach, and evidence their compliance to the ISO 27001 standard. This allowed them to operate and maintain their ISMS in one place with much greater ease.”
Crucially, ISMS.online integrates ISO 27001 and GDPR, in the way recommended by the Information Commissioner’s Office (ICO). The ISO 27001:2013 Policies and Controls Project has preconfigured hyperlinks to the GDPR Project which reduces duplication data protection and privacy policies, and it uses the Linked Work feature to reference any possible risks. As the DSPT is also based around ICO derived compliance for GDPR and the Data Protection Act 2018, it also adds value for organisations operating in the UK health sector.
It was also important that all of their ISMS work could be managed in one application.
“At the top of our ‘wishlist’ was an application that would improve our ongoing information security management. It was important that the solution we chose was a complete package that would enable us to manage compliance in one place.
We wanted to implement a new information management system which enabled us to achieve ISO 27001, whilst incorporating our existing compliance with ISO 9001, DSPT and GDPR.”
ISMS.online has a number of frameworks available, including the recently issued NHS Data Security Protection Toolkit (DSPT) replacing the IG Toolkit. This allows customers to achieve greater levels of compliance without further investment.
How is ISMS.online helping you overcome previous challenges?
NHS Professionals worked with Simon Taylor to establish ISO 27001 policies and controls which would both fit their organisation and meet the requirements of the standard.
“Simon indicated that ISMS.online would help streamline our mature processes and reduce the time taken to certification.”
Simon was on hand to offer support and guidance throughout the ISO 27001 Implementation Project.
“NHS Professionals were already in a good position to start; they had a number of policies and processes covering many aspects of information security. Using the Assured Results Method, we were able to help them quickly move their good practices into ISMS.online. This created an “all-in-one-place” ISMS, whilst helping them identify any areas for future improvement that could have additional benefit. We ran the implementation project from within the platform, which allowed them to clearly demonstrate and evidence their decision-making processes. Adding direct consulting support to the already comprehensive Virtual Coach, enabled the team to quickly implement and operate the ISMS in “Business As Usual mode” and derive significant benefit.”
“The concept behind ISMS.online is to help organisations achieve their information security management goals more easily, more quickly and at lower total cost regardless of their starting point. We equip organisations with the tools, mindset and knowledge for how to approach their ISMS for immediate impact and sustainable success.”
“Since using ISMS.online, the challenges around version control, policy approval and policy sharing are a thing of the past. Our approach to risk and asset management with so many different owners has become a lot easier with everyone being able to contribute in one place.”
How quickly did ISMS.online contribute to your ISO certification success?
NHS Professionals completed their Stage 1 audit after only 6 weeks, with no significant findings. This was closely followed by success at the Stage 2 Certification Audit with no non-conformities, observations or identified opportunities for improvement. This fantastic result proved the value of using the ISMS.online platform, the Virtual Coach and the Assured Results Method supplemented with some direct consulting support.
“Thanks to ISMS.online, we achieved ISO 27001 UKAS certification within 4 months. I can honestly say we wouldn’t have been able to do it without ISMS.online and their support team.”
“It was wonderful to see the NHSP team quickly harness the power of ISMS.online and make rapid progress from day one. Not only did they deliver their primary objective of ISO 27001 certification inside their very ambitious timeline, they quickly recognised the value for their ISMS improvement too. Examples included how asset owners and other stakeholders all now benefit from being inside the platform to easily manage their own assets and risks, reducing administration and avoiding cost.”