UCL Research Data Information Security Management System Information Security Policy #
Document Name: RISM07-Research_Data_ISMS_Information_Security_Policy
Author: Tim Machin
Classification: Public
Version: 1.1
Last Review Date: 11/04/2025
Last Reviewed by: Angharad Green
Approved by: OMG
Approved date: 12/03/2025
Review Period: 3 Years
Sources: SLMS-IG03
1. Document Overview #
Information is a vital asset, both in terms of the world-leading clinical research undertaken by UCL and in terms of the efficient management of services and resources.
It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures, management accountability and structures are in place to provide a robust governance framework for information management, which is covered, in general, by the UCL Data Protection Policy and the UCL Information Security Policy.
Research projects frequently receive information from third parties including the NHS, which is restricted by specific regulation or contracts. As a result, UCL is subject to additional responsibilities in satisfying information governance requirements and in safeguarding highly confidential information.
This document addresses the following requirements in the ISO 27001:2022 standard:
- Clause 5.2
- Clause 6.2
- Clause 9.1
2. Scope #
The Research Data ISMS Information Security Policy covers people, processes, applications, infrastructure and data that fall within the scope of the research data ISMS.
This policy augments the UCL Data Protection Policy and UCL Information Security Policy and applies to all users in scope of the research data ISMS. It relates to their use of any Trusted Research Environment, associated data, applications and code.
For the avoidance of doubt where this policy differs from UCL’s information security policy or data protection policy, the more restrictive policy applies.
3. Conventions used in this Document #
| Term | Meaning |
|---|---|
| Shall | A Mandatory requirement of this policy |
| Should | A Recommended requirement of this policy |
| May | An Optional requirement |
4. Information Security Objectives #
The Information Security Objectives of the organisation are owned by the Senior Information Risk Owner (SIRO).
The objective of the organisation is to enable research to be carried out on confidential information while managing information risk within tolerance. Details of the issues the organisation seeks to address can be found in the Scope.
To ensure this objective is being achieved, the following metrics are in place to measure performance.
| Measure | Target |
|---|---|
| The proportion of applicable studies using UCL’s Trusted Research Environments | 100% of studies currently registered with the Information Governance Advisory service use a trusted research environment |
| The ISMS is operating in compliance with the ISO 27001 standard and UCL’s objectives as measured by audit | The standard and all controls are audited within each 3 year certification period |
| The level of risk within the organisation, as measured in the UCL Research Data ISMS Risk Assessment, is deemed to be ‘manageable’ | All risks are ‘green’ (within UCL’s risk appetite) |
| Non-conformities dealt with in line with the Audit Procedure | 100% of non-conformity actions actioned in a timely manner |
| Incidents are dealt with in line with the Incident Management Procedure | 100% of severe incidents are actioned in a timely manner |
| The proportion of Approved Researchers with suitable up-to-date training. | 95% up-to-date completion for users in scope |
4.1. Review and monitoring of compliance with objectives #
- The implementation and compliance with this Policy shall be monitored by the Information Risk Governance Committee.
- The above objectives should be measured through quality data (such as training records), incident reports, risk assessments and audit.
- Compliance with this policy shall be monitored during the investigation of information security incidents.
4.2. Continual improvement #
- Opportunities for improvement identified through audit, incident or near misses should be recorded and acted upon.
5. Access Control #
All access to physical infrastructure and digital systems shall be managed in accordance with the Access Control Policy.
6. User Responsibilities #
Users shall comply with the Approved Researcher Agreement and the TRE Study.
Any breach of the terms of these agreements may result in removal of access to an environment or data and disciplinary procedures.