In today’s digital age, data security has become a critical concern for every school.

With the increasing use of technology in education, schools are collecting and storing more student and staff data than ever before.

Therefore, it is crucial for schools to ensure that they are protecting this sensitive information from cyberthreats.

One way that schools can demonstrate their commitment to data security is by achieving ISO 27001 accreditation. ISO 27001 is an international standard that outlines the best practices for information security management systems (ISMS).

It provides a framework for managing and protecting sensitive data, including personal information, financial information and intellectual property.

Here at Kellett, we embarked on the journey towards achieving ISO 27001 accreditation in the aftermath of a ransomware attack in October 2020. We became one of a handful of schools in the world to achieve the accreditation in February 2023.

Why ISO 27001?

We saw the ISO 27001 accreditation process as a framework to improve our systems and processes so that we could better protect the school community from further malicious attacks.

It was also a way to demonstrate to students, staff and parents that the school takes data security seriously, and it helped us to comply with the highest internationally recognised standards of data protection, such as the EU’s General Data Protection Regulation (GDPR).

The ISO 27001 accreditation covers several areas, including:

1. Risk assessment: Schools must identify and assess potential risks to their data and implement appropriate controls to mitigate those risks.
2. Security policy: Schools must have a comprehensive security policy that outlines their approach to information security and that is communicated to all staff and stakeholders.
3. Access control: Schools must ensure that only authorised individuals have access to sensitive data and that appropriate security measures are in place to protect against unauthorised access.
4. Incident management: Schools must have a plan in place to respond to security incidents, including data breaches, and to minimise the impact of such incidents.
5. Business continuity: Schools must have a plan in place to ensure that critical operations can continue in the event of a security incident or other disruption.
6. Compliance: Schools must ensure that they comply with relevant data protection regulations and that they have processes in place to monitor and maintain compliance.

What the ISO 27001 process entails

Achieving ISO 27001 accreditation requires a structured approach and involves several steps. It takes time and commitment to achieve - at Kellett, it took us nearly two years to review our systems and get the processes and policies in place. The steps to achieving accreditation include:

Establishing the scope

The first step is to identify the parts of the organisation that will be covered by the accreditation. This will typically include all areas that handle sensitive data, such as student and staff information.

Schools don’t need to include every system or app that they use in the scope statement. At Kellett, we decided just to focus on our core administrative data systems. We defined these as: our management information system, ISAMS; our Microsoft 365 environment, including SharePoint; and our student admissions, staff recruitment, HR, finance and fundraising systems.

The gap analysis

The gap analysis is the first step in identifying the areas where the organisation’s information security management practices may not meet the requirements of the standard.

The gap analysis involves comparing the organisation’s current information security management practices to the requirements of ISO 27001 and identifying any gaps that need to be addressed. This process helps to establish a baseline for the organisation’s current state of information security and provides a roadmap for the development and implementation of the ISMS.

Based on the results of the gap analysis, the organisation can then develop a plan to address the identified gaps and move forward with the accreditation process.

Conducting a risk assessment

The next step is to identify the potential risks to the sensitive data that the organisation handles. This will involve identifying threats, vulnerabilities and the potential impact of security incidents.

Developing an information security management system (ISMS)

An ISMS is a set of policies, procedures and controls that are designed to manage and protect sensitive data. This will include policies on access control, incident management and business continuity.

We had a lot of support on this from the British Standards Institution (BSI), our ISO 27001 auditor, which provided dozens of template policies to point us in the right direction.

Implementing the ISMS

The next step is to implement the policies, procedures and controls that are outlined in the ISMS. This will involve training staff, implementing technical controls and monitoring compliance.

Closing the gap - conducting internal audits

Regular internal audits must be conducted to ensure that the ISMS is being implemented effectively and that any vulnerabilities are being addressed.

Conducting a certification audit

Once the ISMS has been implemented and internal audits have been conducted, an independent certification body will conduct a certification audit to verify that the organisation meets the requirements of ISO 27001.

Maintaining the ISMS

Once accreditation has been achieved, the organisation will need to maintain the ISMS and continue to monitor and address any potential risks or vulnerabilities.

The cost of ISO 27001

Our total financial cost of achieving ISO 27001 accreditation at Kellett was approximately £20,000.

This included the costs paid to BSI for conducting the gap analysis, audits and providing much-needed training to the data team. We also paid another external provider to conduct our “internal audits” because we did not have sufficient manpower within the school team.

The highest cost was not financial - it was in terms of the tech and data team’s time. This was a huge project that dominated their workload for over a year.

The accreditation required that the school produce dozens of new policies and procedures, which meant that the team had to spend a considerable amount of policy writing. That said, the BSI provided some valuable templates to help us on our way.

One of the important lessons that we learned early in the process was that it was going to cause too much disruption to the organisation if we included our teaching and learning data systems, such as Google Classroom and SeeSaw, into the ISO 27001 remit.

We therefore chose to exclude these from the “scope statement”, focusing instead on the core data systems, such as our school MIS and our admissions system. This meant that the brunt of the work fell on the administrative teams rather than on the teachers.

This is not to say that our teaching and learning data is not important - after all, it is considered personally identifiable information (PII) under the GDPR legislation. But it recognises the reality that the personal and medical information held in our school management system is significantly more valuable than the coursework and grades held in Google Classroom or SeeSaw.

Now that we have climbed the mountain, the ongoing cost of annual audits to maintain ISO 27001 accreditation is £3,000 to £6,000 per annum.

Ultimately, we viewed the cost of the process as an investment that would give significantly greater protection for the school going forward.

ISO 27001 and cyberattack Insurance

As the threat of cyberattacks continues to grow, cyber insurance is becoming an increasingly important consideration for organisations.

The world of cyber insurance is evolving to offer more comprehensive coverage as the nature of cyberattacks becomes more sophisticated. But the flip side of this is that insurance companies are increasingly requiring organisations to have robust systems in place before providing coverage.

ISO 27001 accreditation can also help schools to obtain cyber insurance coverage. Many insurance companies now require organisations to have a comprehensive information security management system in place before they will provide coverage for cyber risks.

Achieving ISO 27001 accreditation can also help to reduce insurance premiums by demonstrating that the organisation has taken steps to mitigate potential risks, offsetting some of the cost of gaining the standard.

And so…

In conclusion, achieving ISO 27001 accreditation can help schools to demonstrate their commitment to data security, comply with data protection regulations and protect sensitive information from cyberthreats.

It provides a framework for managing and protecting sensitive data and covers areas such as risk assessment, security policy, access control, incident management, business continuity and compliance.

As schools continue to rely more heavily on technology, ISO 27001 accreditation is becoming an increasingly important consideration.

Mark S Steed is the principal and CEO of Kellett School, the British International School in Hong Kong. He previously ran schools in Devon, Hertfordshire and Dubai. He tweets @independenthead