Yesterday UCISA published the Information Security Management Toolkit that provides guidance to higher education institutions wishing to establish systems to manage information security. Authors from across the sector contributed to the content including Andrew Cormack and myself from Jisc.
Previous guidance from UCISA which mainly focused on the application of ISO/IEC 27002:2005 to Higher Education. This new revision focuses on ISO/IEC 27001:2013 and takes a closer look at the governance and management of information security rather than the controls that an institution might chose to implement. The previous guidance is still largely valid, but care needs to be taken to interpret it in the context of an older standard. Watch out for outdated references!
Early chapters focus on addressing information security as a governance issue, looking at the internal and external drivers towards more formal management, and what systems and information are necessary to sell these activities to top management. Towards the end of the toolkit it looks at measurement, monitoring, audit and how to ensure that your systems are continually improved.