ISO 27001 and ISO 22301 Compliance for Education and Training Providers

Meeting the ESFA’s cyber resilience requirements for 2019/20

In May 2019, the ESFA (Education and Skills Funding Agency) – an executive agency of the DfE (Department for Education) – launched a new contract framework for further-education funding, setting out stronger requirements for cyber security and business continuity.

Originally, Schedule 7 of its funding agreements for 2019/20 required education and training providers – including colleges and universities – to be able to demonstrate conformance to ISO/IEC 27001:2013 and ISO 22301:2019 as a condition of funding.

• ISO/IEC 27001:2013 (ISO 27001) – the international standard for an ISMS (information security management system).
• ISO 22301:2012 (ISO 22301) – the international standard for a BCMS (business continuity management system). 

However, the requirement to conform to ISO 27001 was diluted in January 2020, stating that education and training providers would only have to meet the requirements of the Cyber Essentials scheme. This requirement will later be strengthened to Cyber Essentials Plus in 2021 and, further down the line, ISO 27001.

This page explains what ISO 27001 and ISO 22301 are, how to achieve and demonstrate conformance to them, and the benefits of using them to improve your cyber resilience.

It also links to a wealth of free resources, and products and services relating to ISO 27001 and ISO 22301, so you can find everything you need to implement them – whatever your budget or level of expertise.

Who is affected by the ESFA requirements?

• Colleges – Education and Skills conditions of funding grant 2019 to 2020 (College)
• Employers – Education and Skills conditions of funding grant 2019 to 2020 (Employer)
• Higher-education institutions – Education and Skills conditions of funding grant 2019 to 2020 (Higher education institution)
• Independent training providers – Education and Skills conditions of funding grant 2019 to 2020 (Independent training provider)
• Local authorities – Education and Skills conditions of funding grant 2019 to 2020 (Local authority)
• Non-maintained special schools – Education and Skills conditions of funding grant 2019 to 2020 (Non-maintained special school)
• Special post-16 institutions – Education and Skills conditions of funding grant 2019 to 2020 (Special post-16 institution)
• Trusts – Education and Skills conditions of funding grant 2019 to 2020 (Trust)

ISO 27001 for education and training providers

What is ISO 27001?

ISO 27001 sets out the specifications for an ISMS – a systematic approach to securing data that covers people, processes and technology.

Annex A of the Standard provides a set of 114 organisational security measures, or ‘controls’, covering everything from information security policies to reviewing information systems’ technical compliance.

Based on the outcomes of regular risk assessments, an ISMS addresses the information security risks facing your information in a focused, efficient and cost-effective manner.

ISO 27001 is the only information security standard to which organisations can achieve independently audited certification to demonstrate that their approach follows international best practice.

 Learn more about ISO 27001

ISO 27001: What does Schedule 7 of the ESFA contract framework require?

Schedule 7 states that:

1.3 The [College/Employer/Provider/Contractor] shall be able to demonstrate conformance to, and show evidence of such conformance to the ISO/IEC 27001 (Information Security Management Systems Requirements) standard, including the application of controls from ISO/IEC 27002 (Code of Practice for Information Security Controls). The [College/Employer/Provider/Contractor] shall work towards certification for the 2020/21 funding year.

It goes on to list a number of specific security requirements – including physical security, access controls, antivirus and firewalls, patch management, and the use of audit logs – all of which can be met using ISO 27001’s Annex A controls.

ISO 27001 certification

Section 1.3’s intent is clear: you must implement an ISMS and retain the appropriate documentation to show an ESFA auditor that it conforms to ISO 27001, or be able to produce a certificate from an independent auditor that shows your ISMS is ISO 27001 conformant.

Independently audited certification is not compulsory yet. Following consultation, the requirement to work towards certification to the Standard for the 2020/21 funding year was withdrawn in September 2019. However, certification “will remain a future requirement”.

Moreover, certification is the most efficient way of demonstrating your conformance to the Standard. If you have been independently audited, you will know for sure that you meet your requirements, so it is well worth considering this option sooner rather than waiting for it to become mandatory – especially as certification lasts for three years.

 Learn more about ISO 27001 certification

ISO 22301 for education and training providers 

What is ISO 22301?

ISO 22301 sets out the requirements for a BCMS – a framework that helps organisations prepare for, respond to and recover from disruptive incidents that affect their critical processes and activities.

A BCMS that conforms to ISO 22301 provides a well-defined incident response structure that ensures that when an incident occurs, responses are escalated in a timely manner and the right people take the right actions to respond effectively.

This includes ensuring support and involvement from the top of the organisation, risk management, adequate resources, staff competence and awareness, and continual improvement of the management system.

 Learn more about ISO 22301

ISO 22301: What does Schedule 7 of the ESFA contract framework require?

As well as requiring the implementation of best-practice information security, Schedule 7 mandates conformance to ISO 22301:

1.16 The [College/Employer/Provider/Contractor] will, as a minimum, have in place robust Business Continuity arrangements and processes including IT disaster recovery plans and procedures that conform to ISO 22301 to ensure that the delivery of the Agreement is not adversely affected in the event of an incident. An incident will be defined as any situation that might, or could lead to, a disruption, loss, emergency or crisis to the Services delivered. If a[n] ISO 22301 certificate is not available the supplier will provide evidence of the effectiveness of their ISO 22301 conformant Business Continuity arrangements and processes including IT disaster recovery plans and procedures. This should include evidence that the [College/Employer/Provider/Contractor] has tested or exercised these plans within the last 12 months and produced a written report of the outcome, including required actions.

ISO 22301 certification

A BCMS aligned with ISO 22301 will ensure your business continuity plans remain up to date and become part of your organisation’s culture. It will help you mitigate risks effectively and continually, and adopt an integrated approach to managing business continuity.

As with ISO 27001, organisations can achieve independently accredited certification to ISO 22301 to demonstrate that their business continuity plans follow international best practice.

 Learn more about how we can help you implement ISO 22301

Cyber resilience with ISO 27001 and ISO 22301

All newer ISO management systems standards follow the same high-level structure, known as Annex SL. This means that your ISO 27001-compliant ISMS and ISO 22301-compliant BCMS can easily be integrated into one straightforward implementation project.

Conforming to both ISO 27001 and ISO 22301 will give you a documented cyber resilience framework capable of protecting your organisation’s networks and information systems from the majority of threats.

Moreover, it will help you recover quickly and efficiently if and when an incident occurs – as mandated by the GDPR (General Data Protection Regulation).

 Learn more about cyber resilience