Meeting the ESFA’s cyber resilience requirements for 2019/20
In May 2019, the ESFA (Education and Skills Funding Agency) – an executive agency of the DfE (Department for Education) – launched a new contract framework for further-education funding, setting out stronger requirements for cyber security and business continuity.
Originally, Schedule 7 of its funding agreements for 2019/20 required education and training providers – including colleges and universities – to be able to demonstrate conformance to ISO/IEC 27001:2013 and ISO 22301:2019 as a condition of funding.
However, the requirement to conform to ISO 27001 was diluted in January 2020, stating that education and training providers would only have to meet the requirements of the Cyber Essentials scheme. This requirement will later be strengthened to Cyber Essentials Plus in 2021 and, further down the line, ISO 27001.
This page explains what ISO 27001 and ISO 22301 are, how to achieve and demonstrate conformance to them, and the benefits of using them to improve your cyber resilience.
It also links to a wealth of free resources, and products and services relating to ISO 27001 and ISO 22301, so you can find everything you need to implement them – whatever your budget or level of expertise.
Free PDF download: Cyber Security and Business Resilience – Thinking strategically
For today’s organisations it's no longer enough to suppose that you can defend against every potential cyber attack: you must prepare for an attack to succeed. Download this paper to discover how implementing ISO 27001, ISO 22301 and other standards can secure your organisation.
Who is affected by the ESFA requirements?
ISO 27001 for education and training providers
What is ISO 27001?
ISO 27001 sets out the specifications for an ISMS – a systematic approach to securing data that covers people, processes and technology.
Annex A of the Standard provides a set of 114 organisational security measures, or ‘controls’, covering everything from information security policies to reviewing information systems’ technical compliance.
Based on the outcomes of regular risk assessments, an ISMS addresses the information security risks facing your information in a focused, efficient and cost-effective manner.
ISO 27001 is the only information security standard to which organisations can achieve independently audited certification to demonstrate that their approach follows international best practice.
Learn more about ISO 27001
Free PDF download: Information Security and ISO 27001 – An introduction
Discover the importance of ISO 27001 and how the Standard can help you meet your legal and regulatory obligations. This paper also explores the benefits of implementing an ISMS and achieving ISO 27001 certification.
ISO 27001: What does Schedule 7 of the ESFA contract framework require?
Schedule 7 states that:
1.3 The [College/Employer/Provider/Contractor] shall be able to demonstrate conformance to, and show evidence of such conformance to the ISO/IEC 27001 (Information Security Management Systems Requirements) standard, including the application of controls from ISO/IEC 27002 (Code of Practice for Information Security Controls). The [College/Employer/Provider/Contractor] shall work towards certification for the 2020/21 funding year.
It goes on to list a number of specific security requirements – including physical security, access controls, antivirus and firewalls, patch management, and the use of audit logs – all of which can be met using ISO 27001’s Annex A controls.
ISO 27001 certification
Section 1.3’s intent is clear: you must implement an ISMS and retain the appropriate documentation to show an ESFA auditor that it conforms to ISO 27001, or be able to produce a certificate from an independent auditor that shows your ISMS is ISO 27001 conformant.
Independently audited certification is not compulsory yet. Following consultation, the requirement to work towards certification to the Standard for the 2020/21 funding year was withdrawn in September 2019. However, certification “will remain a future requirement”.
Moreover, certification is the most efficient way of demonstrating your conformance to the Standard. If you have been independently audited, you will know for sure that you meet your requirements, so it is well worth considering this option sooner rather than waiting for it to become mandatory – especially as certification lasts for three years.
Learn more about ISO 27001 certification
ISO 22301 for education and training providers
What is ISO 22301?
ISO 22301 sets out the requirements for a BCMS – a framework that helps organisations prepare for, respond to and recover from disruptive incidents that affect their critical processes and activities.
A BCMS that conforms to ISO 22301 provides a well-defined incident response structure that ensures that when an incident occurs, responses are escalated in a timely manner and the right people take the right actions to respond effectively.
This includes ensuring support and involvement from the top of the organisation, risk management, adequate resources, staff competence and awareness, and continual improvement of the management system.
Learn more about ISO 22301
Free PDF download: Business Continuity and ISO 22301 – Preparing for disruption
Download this paper to discover how ISO 22301 can support your implementation project, the benefits of business continuity management and how business continuity differs from disaster recovery.
ISO 22301: What does Schedule 7 of the ESFA contract framework require?
As well as requiring the implementation of best-practice information security, Schedule 7 mandates conformance to ISO 22301:
1.16 The [College/Employer/Provider/Contractor] will, as a minimum, have in place robust Business Continuity arrangements and processes including IT disaster recovery plans and procedures that conform to ISO 22301 to ensure that the delivery of the Agreement is not adversely affected in the event of an incident. An incident will be defined as any situation that might, or could lead to, a disruption, loss, emergency or crisis to the Services delivered. If a[n] ISO 22301 certificate is not available the supplier will provide evidence of the effectiveness of their ISO 22301 conformant Business Continuity arrangements and processes including IT disaster recovery plans and procedures. This should include evidence that the [College/Employer/Provider/Contractor] has tested or exercised these plans within the last 12 months and produced a written report of the outcome, including required actions.
ISO 22301 certification
A BCMS aligned with ISO 22301 will ensure your business continuity plans remain up to date and become part of your organisation’s culture. It will help you mitigate risks effectively and continually, and adopt an integrated approach to managing business continuity.
As with ISO 27001, organisations can achieve independently accredited certification to ISO 22301 to demonstrate that their business continuity plans follow international best practice.
Learn more about how we can help you implement ISO 22301
Cyber resilience with ISO 27001 and ISO 22301
All newer ISO management systems standards follow the same high-level structure, known as Annex SL. This means that your ISO 27001-compliant ISMS and ISO 22301-compliant BCMS can easily be integrated into one straightforward implementation project.
Conforming to both ISO 27001 and ISO 22301 will give you a documented cyber resilience framework capable of protecting your organisation’s networks and information systems from the majority of threats.
Moreover, it will help you recover quickly and efficiently if and when an incident occurs – as mandated by the GDPR (General Data Protection Regulation).
Learn more about cyber resilience
How IT Governance can help you meet your 2019/20 ESFA requirements
IT Governance has been a pioneer of ISO 27001 compliance since the inception of the Standard, when our management team led the world’s first ISMS certification project (when the Standard was still known as BS 7799).
Since then, we’ve developed the most comprehensive range of products and services in the world, expanding our offering to cover business continuity, data protection and GDPR compliance, PCI DSS (Payment Card Industry Data Security Standard) compliance, penetration testing, and more. Our products and services can be tailored to organisations of all types and size, whatever their resources.