We must make sure all our working practices, policies and procedures are well known and used by staff and in line with all current recognised standards of security and confidentiality.
Increasingly, we're required to share information and data with external agencies.
Some of these agencies now require partners to be certified to the ISO 27001 standard in information security before they will share, or let us use, their information.
We also have a legal requirement to abide by the Data Protection Act and the ISO standard makes sure we have the necessary tools and practices to enable us to do this.
We can be heavily fined for information breaches and ISO27001 accreditation equips us to help avoid this happening.
What this means for staff
In order to remain accredited we must be able to show that all staff are aware of our current data protection and information security policies. That's why we launched the Data Demon campaign. It's designed to explain our data security policies as well as help you find all the information that you need in one place.
We will be visited by auditors every 6 months. Their job is to find out how well we implement data security policies as an authority.
Overview of the ISO27001 audit
As part of each audit visit, the auditors look in detail at the information security management system documentation that our information governance group has been putting in place.
They will also incorporate other procedures and records around information security, training records, starters and leavers procedures.
The auditors will decide which sites and areas they wish to visit and which staff they wish to interview.
They will be interviewing our information risk owners, but the auditors may also want to speak to staff from lots of different departments in order to find out how much is known about data security and our policies.