Information Security & ISO 27001

  • Simply ISO 27001 standard is an Information Security Management System (ISMS)
  • Framework of policies and procedures that include legal, physical and technical controls linked to Face Facts information risk management.
  • Identify a Management Team & Information Security Manager to oversee the ISMS and ISO 27001 certification


  • Senior Management Team - Rach, Jo, Jules
  • Information Security Manager - Jo


Back to top

ISO 27001 Process

ISO Process.PNG

The six-part planning process

  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select control objectives and controls to be implemented.
  6. Prepare a statement of applicability.

All stages are then audited

  • Are the processes working?
  • What has changed in the business?
  • Is the risk still the same?
  • Are the controls working?
  • Have there been any breaches?


Back to top

ISMS & Policies

  • As part of Information Security Management System (ISMS) there are a total of 36 policies which also accompany the Staff Handbook


  • 26 Policies already existed! 
  • 10 ‘new’ IT specific policies have been implemented
  1. Access Control Policy
  2. Data Protection Policy
  3. Information Security Policy
  4. Retention Policy
  5. Business As Usual (BAU) Policy
  6. Information Backup & Restore Policy
  7. Information Classification Policy
  8. Information Transfer Policy
  9. Password Policy
  10. Secure & Clear Desk Policy


Back to top

Information Security : Purpose

To preserve the appropriate confidentiality, integrity and availability of Face Facts information assets, Face Facts must make sure they are protected against unauthorised access, disclosure or modification. This is not just critical for assets covered by the Data Protection Act 1998 (DPA) and the primary and secondary data used for research purposes, but also for all business conducted across the company.

Different types of information require different security measures depending upon their sensitivity. 

FFR’s information classification standards are designed to provide information owners with guidance on how to classify information assets properly and then use them accordingly.

This guidance, developed in accordance with Face Facts Information Security and Data Protection Policies, includes classification criteria and categories, as well as rules for the delegation of classification tasks.

SIMPLE TERMS - To keep information safe and secure, Face Facts will classify all information and define who can access or modify it.


Back to top

Information Security : Scope & Retention

This standard applies to all Face Facts information, irrespective of the data location or the type of device it resides on.  It should consequently be used by all staff and third parties who interact with the information held by and on behalf of Face Facts.

Information Retention

There may be minimum or maximum timescales for which information has to be kept.  These may be mandated in a research or commercial contract. Other forms of information retention may be covered by environmental or finances regulations: See Retention Policy for guidance.

SIMPLE TERMS – All data received, stored and used by Face Facts, both physically and electronically will be classified. The classification applies to all staff, no exceptions. In order to maintain Information Security and manage risk, information will only be retained for the period specified in the Retention Schedule within the Retention Policy (Next Session!)


Back to top

Information Security : Responsibilities

Information Security Manager/Senior Management Team

Responsible for the advising on and recommending information security standards on data classification.

Members of Face Facts

All members of staff, third parties and collaborators on Face Facts projects are users of Face Facts information.  They are responsible for assessing and classifying the information they work with and applying the appropriate controls.

All staff must respect the security classification of any information as defined and must report any inappropriate situations or potential situations regarding information to the Information Security Manager or Senior Management Team as quickly as possible

SIMPLE TERMS – Jo, Jules & Rach will oversee the classification categories. It is also the responsibility of all Face Facts staff to ensure that any data is classified correctly. It is also the responsibility of all Face Facts staff to follow the classification and report any nonconformities.


Back to top

Information Security : Information Classification

All Face Facts data is stored on a single Microsoft SharePoint Team Site. (R Drive)

The overall Microsoft SharePoint site is administered by those with administrative permissions. This is limited to the Information Security Manager and Senior Management Team.

There are 4 classification levels for data,

  1. Client Confidential (Company)
  2. Business Confidential
  3. Restricted
  4. Public

Back to top

Information Security : Information Classification Grid

Click here to access the internal training session resources.