In May 2019, the ESFA (Education and Skills Funding Agency) – an executive agency of the DfE (Department for Education) – launched a new contract framework for further-education funding, setting out stronger requirements for cyber security and business continuity.
Schedule 7 of its funding agreements for 2019/20 require education and training providers – including colleges and universities – to be able to demonstrate conformance to two international standards as a condition of funding:
This page explains what ISO 27001 and ISO 22301 are, how to achieve and demonstrate conformance to them, and the benefits of using them to improve your cyber resilience.
It also links to a wealth of free resources, and products and services relating to ISO 27001 and ISO 22301, so you can find everything you need to implement them – whatever your budget or level of expertise.
ISO 27001 for education and training providers
What is ISO 27001?
ISO 27001 sets out the specifications for an ISMS – a systematic approach to securing data that covers people, processes and technology.
Annex A of the Standard provides a set of 114 organisational security measures, or ‘controls’, covering everything from information security policies to reviewing information systems’ technical compliance.
Based on the outcomes of regular risk assessments, an ISMS addresses the information security risks facing your information in a focused, efficient and cost-effective manner.
ISO 27001 is the only information security standard to which organisations can achieve independently audited certification to demonstrate that their approach follows international best practice.
Learn more about ISO 27001 >>
ISO 27001: What does Schedule 7 require?
Schedule 7 states that:
1.3 The [College/Employer/Provider/Contractor] shall be able to demonstrate conformance to, and show evidence of such conformance to the ISO/IEC 27001 (Information Security Management Systems Requirements) standard, including the application of controls from ISO/IEC 27002 (Code of Practice for Information Security Controls). The [College/Employer/Provider/Contractor] shall work towards certification for the 2020/21 funding year.
It goes on to list a number of specific security requirements – including physical security, access controls, antivirus and firewalls, patch management, and the use of audit logs – all of which can be met using ISO 27001’s Annex A controls.
ISO 27001 certification
Section 1.3’s intent is clear: you must implement an ISMS and retain the appropriate documentation to show an ESFA auditor that it conforms to ISO 27001, or be able to produce a certificate from an independent auditor that shows your ISMS is ISO 27001 conformant.
Independently audited certification is not compulsory yet. Following consultation, the requirement to work towards certification to the Standard for the 2020/21 funding year was withdrawn in September 2019. However, certification “will remain a future requirement”.
Moreover, certification is the most efficient way of demonstrating your conformance to the Standard. If you have been independently audited, you will know for sure that you meet your requirements, so it is well worth considering this option sooner rather than waiting for it to become mandatory – especially as certification lasts for three years.
Learn more about ISO 27001 certification >>
ISO 22301 for education and training providers
What is ISO 22301?
ISO 22301 sets out the requirements for a BCMS – a framework that helps organisations prepare for, respond to and recover from disruptive incidents that affect their critical processes and activities.
A BCMS that conforms to ISO 22301 provides a well-defined incident response structure that ensures that when an incident occurs, responses are escalated in a timely manner and the right people take the right actions to respond effectively.
This includes ensuring support and involvement from the top of the organisation, risk management, adequate resources, staff competence and awareness, and continual improvement of the management system.
Learn more about ISO 22301 >>
ISO 22301: What does Schedule 7 require?
As well as requiring the implementation of best-practice information security, Schedule 7 mandates conformance to ISO 22301:
1.18 The [College/Employer/Provider/Contractor] will, as a minimum, have in place robust Business Continuity arrangements and processes including IT disaster recovery plans and procedures that conform to ISO 22301 to ensure that the delivery of the Agreement is not adversely affected in the event of an incident. An incident will be defined as any situation that might, or could lead to, a disruption, loss, emergency or crisis to the Services delivered. If an ISO 22301 certificate is not available the supplier will provide evidence of the effectiveness of their ISO 22301 conformant Business Continuity arrangements and processes including IT disaster recovery plans and procedures. This should include evidence that the [College/Employer/Provider/Contractor] has tested or exercised these plans within the last 12 months and produced a written report of the outcome, including required actions.
ISO 22301 certification
A BCMS aligned with ISO 22301 will ensure your business continuity plans remain up to date and become part of your organisation’s culture. It will help you mitigate risks effectively and continually, and adopt an integrated approach to managing business continuity.
As with ISO 27001, organisations can achieve independently accredited certification to ISO 22301 to demonstrate that their business continuity plans follow international best practice.
Learn more about how we can help you implement ISO 22301 >>
Cyber resilience with ISO 27001 and ISO 22301
All newer ISO management systems standards follow the same high-level structure, known as Annex L. This means that your ISO 27001-compliant ISMS and ISO 22301-compliant BCMS can easily be integrated in one straightforward implementation project.
Conforming to both ISO 27001 and ISO 22301 will give you a documented cyber resilience framework capable of protecting your organisation’s networks and information systems from the majority of threats.
Moreover, it will help you recover quickly and efficiently if and when an incident occurs – as mandated by the GDPR (General Data Protection Regulation).
Learn more about cyber resilience >>
How IT Governance can help you meet your 2019/20 ESFA requirements
IT Governance has been a pioneer of ISO 27001 compliance since the inception of the Standard, when our management team led the world’s first ISMS certification project (when the Standard was still known as BS 7799).
Since then, we’ve developed the most comprehensive range of products and services in the world, expanding our offering to cover business continuity, data protection and GDPR compliance, PCI DSS compliance, penetration testing and more.
Our products and services can be tailored to organisations of all types and size, whatever their resources.
ISO 27001 Gap Analysis Tool
Our ISO 27001: 2013 ISMS Gap Analysis Tool has been created to help organisations identify where they are complying with the requirements of ISO 27001:2013 and where they are falling short
Find out more about the ISO 27001 Gap Analysis Tool >>
ISO 27001 implementation bundles
Combining bestselling tools, software, guides and qualification-based training with up to 40 hours of online consultancy, our implementation bundles can help you reduce the time and effort required to implement an ISMS, as well as eliminate the costs associated with traditional consultancy.
Find out more about ISO 27001 implementation bundles >>
ISO 22301 Gap Analysis Service
Learn exactly how your existing business continuity practices measure up against the requirements of ISO 22301. One of our ISO 22301 specialists will interview managers, assess your current arrangements, policies and procedures for relevance, effectiveness and efficiency. You will then receive a gap analysis report detailing areas for improvement, and providing further recommendations for compliance with ISO 22301.
Find out more about the ISO 22301 Gap Analysis Service >>
ISO 22301 policies and procedures
Demonstrating ISO 22301 compliance involves creating a wide range of documentation. This is one of the most challenging and time-consuming aspects of achieving certification to the Standard. Our ISO 22301 documentation toolkits provide these policies and procedures as customisable templates, along with a selection of other useful tools and additional guidance to ease your implementation of an ISO 22301-compliant BCMS.
Find out more about ISO 22301 documentation toolkits >>