Information Security Management System (ISMS) - Template

Programme

NPFIT

Document Record ID Key

Sub-Prog /
Project

Information
Governance

NPFIT-FNT-TO-IG-IGCOM-0121.02

Prog. Director

Paul Jones

Status

Approved

Owner

Tim Davis

Version

1.0

Author

Danny
Solomon

Version Date

22 January 2007

Information Security Management System (ISMS)

Template

Crown Copyright 2015

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

Amendment History:
Version

Date

Amendment History

0.1

15 Jan 2007

First draft for comment

1.0

22 Jan 2007

Incorporated comments from Andy Dickinson; approved.

Forecast Changes:
Anticipated Change

When

Reviewers:
This document must be reviewed by the following:
Name

Signature

Title / Responsibility

Tim Davis

Head of Information
Governance

Andy Dickinson

Information Governance
Compliance Manager

Date

Version

Date

Version

Approvals:
This document must be approved by the following:
Name

Signature

Title / Responsibility

Tim Davis

Head of Information
Governance

Andy Dickinson

Information Governance
Compliance Manager

Distribution:
FileCM
ESP Supplier Portal
Document Status:
This is a controlled document.
Whilst this document may be printed, the electronic version maintained in FileCM is
the controlled copy. Any printed copies of the document are not controlled.
Related Documents:
These documents will provide additional information.
Ref no

Doc Reference Number

Title

Version

NPFIT-SHR-QMS-PRP-0015

Glossary of Terms Consolidated.doc

<enter latest>

Glossary of Terms:
List any new terms created in this document. Mail the NPO Quality Manager to have
these included in the master glossary above [1].

Crown Copyright 2015

Page 2 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02
Term

Acronym

Crown Copyright 2015

22 January 2007 / Approved / 1.0

Definition

Page 3 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

Contents
1

About this Document.............................................................................................5

1.1

Purpose..........................................................................................................5

1.2

Audience........................................................................................................5

1.3

Content...........................................................................................................5

Signature...............................................................................................................6

ISO 27001 compliance..........................................................................................6

ISMS......................................................................................................................7
4.1

ISMS Strategy................................................................................................7

4.2

ISMS Topics...................................................................................................8

Crown Copyright 2015

Page 4 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

1 About this Document

1.1 Purpose
All suppliers to NHS CFH are required to have an Information Security Management
System (ISMS) in place, in order to provide an appropriate level of governance for
the services they provide.
The purpose of this document is to provide a template for suppliers to describe their
ISMS, in cases where the presence of an ISMS is not included in any contractual
arrangements (for example in the case of Existing System Suppliers).

1.2 Audience
This document has been written for suppliers needing to evidence their ISMS, for
example as part of the NHS CFH Common Assurance Programme (CAP).

1.3 Content
As a template, this document is expected to be completed by system suppliers and
submitted as part of the NHS CFH CAP, or as a response to other requirements
(such as Requirement 9 of NPFIT-FNT-TO-IG-IGCOM-0102.01 Information
Governance Offshore Support Requirements).
Section 2 of this document provides guidance as to the signing authority required for
responses to this template.
Section 3 asks about current compliance to the ISO27001 standard.
In the absence of current compliance to ISO27001, Section 4 provides a series of
ISMS topics for which detailed responses describing the suppliers ISMS are required,
and asks about plans for achieving ISO27001 compliance.
Note that Section 2 plus either Section 3 or Section 4 is required to be completed. If
an appropriate scope of current compliance to ISO27001 is available and described
in Section 3, then an explicit response to Section 4 is not required.

Crown Copyright 2015

Page 5 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

2 Signature
This document must be signed by a senior officer of the organisation, with
responsibility for information security1.
Name of signatory
Position
Company
Contact details
Only one of section 3, or section 4, needs to be completed, depending whether the
company is currently compliant to ISO27001.

3 ISO 27001 compliance

This section indicates the companys current compliance to ISO27001.
If company is ISO27001
Registered, date certificate
granted.
Enclose copy of certificate.
Describe the scope of the
companys current
compliance to ISO27001.

For example, Chief Information Officer, Chief Information Security Officer

Crown Copyright 2015

Page 6 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

4 ISMS
Both parts of this section should be completed if your organisation is not currently
compliant with the ISO27001 information security standard.

4.1 ISMS Strategy

This section covers your strategic direction and planning for your ISMS.
Describe your plans
(including scope and
timescales) for achieving
ISO27001 compliance
Describe the methods (and
their outputs) that you use
for deciding on the scope,
extent and practice of your
ISMS. For example:
i)
what Risk Assessment
Process followed by
ii)
Risk Treatment Plan
that results in a
iii)
Scope (or Statement
of Applicability) for
your ISMS
Enclose the relevant risk
assessment as well as a
description of the process.

Crown Copyright 2015

Page 7 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

4.2 ISMS Topics

This section contains a number of ISMS topics2. Each should be completed with
details of current practices and/or policies in those areas.
Information Security Policy:
describe how your security
policies are documented,
approved, published,
reviewed and updated.
Organization of Security
Policy: describe how your
company is organized in
terms of its approach to
information security.
Asset Management:
describe how your assets
are identified and managed,
and how information within
your organisation is
classified, labelled and
handled.
Human Resources Security:
describe how your
employees understand their
responsibilities and how you
ensure continued
appropriate access to
information before, during,
and after employment.
Physical and Environmental
Security: describe how you
prevent unauthorized
physical access, damage
and interference to your
organisations premises and
information.

Note that these topics are drawn from the ISO27001 standard.

Crown Copyright 2015

Page 8 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

Communications and
Operations Management:
describe how your
organisation ensures the
correct and secure
operation of information
processing facilities,
through:
operational
procedures and
responsibilities
third-party service
delivery management
system planning and
acceptance
protection against
malicious code
backup

network security
management
media handling
exchange of
information
electronic commerce
services
monitoring

Access Control: describe

how access to information is
controlled, through:
user access
management
user responsibilities

network access
control
operating system
access control
application and
information access
control
mobile computing
and teleworking

Crown Copyright 2015

Page 9 of 10

Information Security Management System (ISMS) Template

NPFIT-FNT-TO-IG-IGCOM-0121.02

22 January 2007 / Approved / 1.0

Information systems
acquisition, development
and maintenance. Describe
how your organisation
ensures that security is an
integral part of information
systems through:
security requirements
analysis and
specification
correct processing in
applications
cryptographic
controls
security of system
files
security in
development and
support processes
technical vulnerability
management
Information Security
Incident Management:
describe how your
organisation ensures that
information security
weaknesses and events are
communicated in a timely
manner.
Business Continuity
Management: describe how
your organisation
counteracts interruptions to
business activities and
protects critical business
processes from the effects
of major failures or
disasters, and ensures their
timely resumption.
Compliance: describe how
your organisation ensures
compliance with
organisational security
policies and standards.

Crown Copyright 2015

Page 10 of 10