Review of requirements for security accreditation (ISO027001)

[Davsarper]

Goal Title

A clear list of requirements and necessary steps that DSH would need to take to be ISO027001 compliant

Description

This work will include pulling a list of requirements for the specification that includes a clear idea of the steps to take and the effort involved.

It also includes the work relating to DSPT certification: resubmitting and adapting answers if necessary

Definition of Done

DSH remains DSPT compliant

There is a documented plan for DSH to be ISO027001 compliant

Details

• RACI
  • Accountable team or person: RPM
  • Responsible team or person: TRESA-REG, RCM, RAM, Other (Legal, DP?)
  • Informed and consulted people:
• Estimated effort
  • RAM: 0.05
  • REG: 0.1 (?)
• High/Medium/Low (initial scale before, to be dropped)
• Story points (Above 10, sum of monthly issues effort)

Task and issue breakdown

Breakdown in specific tasks of maximum a month duration, tasks and issues may be added as necessary
Issues may span across repositories when necessary

• issue alan-turing-institute/data-safe-haven-team#X
• issue alan-turing-institute/data-safe-haven#X
• issue alan-turing-institute/trusted-research
• issue sa-tre/satre-specification#X
• issue sa-tre/satre-team#X

Checklist

• This Story have been agreed with project members, it tackles prioritised work
  • If not: Label as ForPrioritisation so it discussed in the next monthly meeting, do not set a status
• I have filled in the Team Accountabe field
• I have included this Story in the agreed upon Milestone, set status as Planned
  • If not: set status as Backlog, to be Planned via weekly meetings or async discussions
• The work to be done is likely to span over a month
• I have broken down the work in monthly issues and added them above
• I have labeled this issue according to its main project: SATRE, TRESA, CORE DSH (ELA) or other (please agree and create a new label if necessary)
• I have stimated the total effort and added it in the body (under Details) but left the issue field blank

Reporting

5 February to 8 April

Revised DSPT v6 requirement, there being no effective changes for category 3 organisations (us).
Reviewed and copied last year answers for all mandatory requirements and made progress updating links and references (ongoing).
Held team meeting to review non mandatory requirements identifying a full list of them that could be positively answered.

Issue is here and document with in progress submission here https://thealanturininstitute.sharepoint.com/:x:/s/SafeHaven/EYe0bGdP4ihJienQqrPyGkYBLvUrwVGk1BbRT8ixygETiw?e=HfEzpS

10 July to 14 August

• Workload on other stories have not allowed attending to it, will be move for late september

[Davsarper]

@jemrobinson & REG what effort from you do you think this would take? Considering you are not Accountable but do contribute to it and are Responsible.
I do see myself requiring your contributions here, especially to start with

[jemrobinson]

ISO27001 certification is either "easy - we did it in a weekend" or "incredibly hard, it took us two years of work" depending on who you talk to. I think it is more likely to be the second.

Reviewing the requirements sounds like it should be a few weeks/months of FTE from RPM with days/weeks of work from the REG DSH team contributing to that. Actually implementing/writing a submission will, I imagine, take much longer.

[Davsarper]

october: do try to get started with DSPTR resubmission and familiarising with ISO

[Davsarper]

This requires a proper proposal put in place: what we are going to get, for what. And then submit it.

[Davsarper]

Should be a new Story but Feb priority is DSPT - very high priority knowing what we need to do when by end of the month.

[martintoreilly]

I'm super keen on us being ISO27001 compliant but please could we capture the value we're providing and to who? e.g. allows Turing to do this project / class of projects (or use our DSH rather than pay someone else to use theirs), would mean organisation X would use our DSH etc.

[Davsarper]

This is DSPT: continues to be a priority as we have to finish submission, it should not be too much effort as we have reviewed requirements.

[Davsarper]

Be mindful Helen is now on leave, and David SJ will be on leave for the beginning of April

[Davsarper]

This remains a priority to finalise DSPT submission but should not be resource intensive (answers already prepared)

[Davsarper]

Deadline 30 June, absolute priority. See progress in https://github.com/alan-turing-institute/trusted-research/issues/158#issuecomment-2135124214
We need to:

• Create a needs analysis to which the answer is the training we do
• Create a list of projects (same info as in sharepoint folder but unified)
  In conversation with Kit

[Davsarper]

Should not be a priority as it will be done (one way or another) next Monday.

Important to collect all improvements and areas of work we've detected and plan for them (schedule meeting).