In an effort to ensure that it protects the information assets it holds, the South Warwickshire General Hospitals NHS Trust (SWGHT) has undertaken a major review of its security procedures with independent security consultancy Advent IM.  Due to the sensitive and confidential nature of these assets, all NHS organisations must meet annual Statement of Compliance obligations for information security. This involves, but is not limited to, meeting the control requirements in the NHS Information Governance (IG) Toolkit.

Although SWGHT had a number of processes and procedures to protect its information assets already in place, the Trust was keen to identify areas where controls could be further enhanced.  At this point it approached Advent IM to undertake a thorough gap analysis to review the existing procedures against the ISO 27001 Standard, the international standard for information security management, to support future strategic planning.

Although controls within the IG Toolkit cover a number of compliance areas and mirror some of the ISO 27001’s key clauses they are not as detailed as those in the standard.  ISO 27001 is very much a process-based standard providing guidance on implementing best practice processes and procedures to counter key risk areas namely: 

• Security Policy Management
• Organisation of Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Information Systems Acquisition, Development and Maintenance
• Information Security Incident Management
• Business Continuity Management and Compliance

The first stage of the Gap Analysis was for Advent IM to carry out a project initiation, confirm the scope and identify key stakeholders within the Trust who were relevant to the scope of the review.  This was followed by individual meetings to glean the required information on current information security practices, in relation to the key risk areas.  These interviews were coordinated across three days with representatives from IT, HR, Facilities Management, Finance and Information Governance.

Once Advent IM had completed these information gathering exercises, the data was then used to populate a comprehensive report against all 133 controls within the ISO 27001 standard.  The report included a summary of the current practice against each control, a statement of compliance to the standard and recommendations for improvement where appropriate.  Advent also produced a snapshot of compliance in both tabular and graphical formats.

Once the report was completed, Advent reviewed the findings with the Trust’s Information Security Manager.  During the review, a couple of the compliance controls where it was expected that SWGHT would be partially compliant, had been identified and marked as non-compliant.  At this time, Advent talked through the reasons for the assessment so that stakeholders could understand the expectations from the control and how improvement could be implemented.

Duncan Robinson, Associate Director of IT for SWGHT, commented: “When I joined SWGHT, I wanted an independent gap analysis performed in the hope that it would validate my understanding of the current situation within the Trust.  What I received was much more.”

Advent IM provided Robinson with the comprehensive gap analysis report and validation he sought.  Additionally, the report gave him the basis for an action plan which could be prioritised and dove-tailed into existing project plans.  By mapping the original auditor’s findings to those from the gap analysis, it enabled the provision of positive feedback to the Trust’s Internal Audit Team, thereby providing assurance that previous recommendations were being acted upon.

Robinson added: “The report was very thorough and Advent IM demonstrated a very high level of knowledge clearly gained from years of experience.  Its style was very approachable and their listening skills made the interviewing process extremely smooth.  The whole process was carried out efficiently and I was impressed with the quick turnaround.  

“The gap analysis report provided me with a very tangible and workable tool which has assisted in the facilitation of beneficial changes to information management processes within the Trust.  I would happily use Advent IM’s services again.”

SWGHT incorporates Warwick and Stratford-upon-Avon Hospitals and serves a community of approximately 270,000 in South Warwickshire and the surrounding areas.  The region’s largest population centres are the towns of Kenilworth, Royal Leamington Spa, Southam, Stratford-upon-Avon and Warwick.  The Trust employs just over 2000 staff and is a major supplier of acute services in South Warwickshire providing a wide range of day case, inpatient, outpatient, maternity and accident and emergency services. 

Advent IM is an independent consultancy specialising in information assurance and physical security services.  Its style of consultancy is to provide a bespoke service using a combination of quantitative and qualitative information gathering techniques, with the ethos that in order to deliver true benefit to an organisation, the results of every analysis needs to be specific to each client.  For further information, please visit www.advent-im.co.uk