PUBLIC
Information Security Document
Derbyshire County Council
ISO27001 Scope
Version 4.0
Version 4.0
Derbyshire County Council ISO27001 Scope
1
PUBLIC
Version History
Version Date
1.0
01/08/2012
2.0
27/03/2013
3.0
30/08/2013
4.0
10/08/2015
Detail
Approved by Information Governance
Group
Reviewed by Information Governance
Group to expand on scope areas and
processes
Reviewed by Information Governance
Group. Several Asset Owners have
changed.
Reviewed by Information Governance
Group. Incorporation of definitions of
internal and external stakeholders.
Version 4.0
Author
Jo White
Jo White
Jo White
Jo White
Derbyshire County Council ISO27001 Scope
2
PUBLIC
1.1
Introduction
This document describes the scope of the Council’s Information Security Management
System (ISMS) and how information assets are protected from influences which are
outside of the ISMS scope.
The Council’s ISMS functions in accordance with the ISO27001:2013 standard and all
legal, regulatory and statutory requirements as identified below:








The Data Protection Act (1998)
The Freedom of Information Act (2000)
The Computer Misuse Act (1990)
The Human Rights Act (1998)
The Copyright, Designs and Patents Act (1988).
The Regulation of Investigatory Powers Act (2000)
The Electronic Communications Act (2000)
Privacy and Electronic Communications Regulations (2015)
Also included within this document:
 A written scope defining company core business;
 Boundaries of scope;
 Geographical locations;
 Organisational employee structure; and
 Responsibilities and any other appropriate information.
1.2
Information Security Management System Scope
The Information Security Management System of this Business Management System
is based on BS EN ISO27001:2013.
The scope of the certified Information Security Management System is for:
"The protection of all information and data assets for the delivery of all Council
functions, services and activities - excluding schools. The assets protected are
physical locations, hardcopy data, electronic data, Council records, policies and
procedures, software and licences and physical IT hardware. The boundaries of the
Information Security Management System are the physical locations, authorised
mobile workers and the endpoints of the organisational network. Supporting
technology includes server platforms, network devices and organisational networks
within the control of Derbyshire County Council, in accordance with Statement of
Applicability Ver 5"
1.2.1 Within Scope
Excluding schools, the Information Security Management System applies to all
functions, services, activities and data information assets of Derbyshire County
Council.
1.2.2 Out of Scope
Schools and associated school maintained premises and resources are
managed autonomously. Schools are beyond the scope of the Council’s ISMS
Version 4.0
Derbyshire County Council ISO27001 Scope
3
PUBLIC
however, the Council provides key services to schools – many of which, schools
may opt in or out of.
1.3
ISMS Scope Boundaries
The relationship between the Council’s internal business/services within the ISMS
scope and those which are out of the ISMS scope are identified below. Council
services and activities within scope have been identified where there is a risk to
information beyond the Council’s business end-points.
OUT OF THE ISMS SCOPE
WITHIN THE ISMS SCOPE
EXTERNAL PARTY
ACCESS TO INFORMATION AND
SERVICES
COUNCIL SERVICES
AND ACTIVITIES
Council premises and facilities
Council public facing websites
THE PUBLIC, GOVERNMENT
AGENCIES, THIRD PARTIES
GOVERNMENT AGENCIES,
POLICE, COURT SERVICES
THE PUBLIC, THIRD PARTIES
THE PUBLIC, GOVERNMENT
AGENCIES, THIRD PARTIES
THE POLICE, THIRD PARTIES
THE PUBLIC, GOVERNMENT
AGENCIES, COURT SERVICES
THE PUBLIC, THIRD PARTIES
POLICE, DISTRICT COUNCILS,
GOVERNMENT AGENCIES
THE PUBLIC, THIRD PARTIES
THE PUBLIC, THIRD PARTIES
Derbyshire Business Centre
THE PUBLIC, THIRD PARTIES
Adult and Social Care services
Audit Services
Call Derbyshire (call centre)
Children and Younger Adults services
Computer and Internet use logs
Coroners
Corporate records
Council Employee information
GOVERNMENT AGENCIES,
POLICE
SCHOOLS, GOVERNMENT
AGENCIES, THIRD PARTIES
THE PUBLIC
THE PUBLIC, THIRD PARTIES
COURT SERVICES, POLICE
THE PUBLIC, THIRD PARTIES
GOVERNMENT AGENCIES, THE
PUBLIC, THIRD PARTIES
Emergency planning
Finance
Freedom Of Information requests
Hubs
Legal services
Libraries
Pensions
SCHOOLS, THE PUBLIC, THIRD
PARTIES
SCHOOLS, THE PUBLIC, THIRD
Property Services
Recycling/waste disposals
Version 4.0
Derbyshire County Council ISO27001 Scope
4
PUBLIC
PARTIES
THE PUBLIC, GOVERNMENT
AGENCIES
SCHOOLS, THE PUBLIC,
GOVERNMENT AGENCIES,
THIRD PARTIES
SCHOOLS, THIRD PARTIES
THE PUBLIC
THE PUBLIC, GOVERNMENT
AGENCIES, COURT SERVICES
SCHOOLS, THE PUBLIC, THIRD
PARTIES
Registrars (Birth deaths and marriages)
School admissions and referrals
School Support services
Subject access requests
Trading Standards
Transport
EXTERNALLY CONTRACTED
SERVICES AND SUPPLIERS











IT Solutions, services and
maintenance
Disposals
Building contractors
Agency workers
Cleaners
Offsite storage
Personal (medical) aides
Environmental services subcontracting
School transport
Nursing Homes
Individual Agencies
THIRD PARTIES
In delivering these services, the Council relies on many third party suppliers who are
contracted to provide solutions and services which may store, process and generate Council
information or who may have access to Council information. The Council is also required to
share information with government and other outside agencies due to legal, regulatory,
statutory or business requirements. The Council protects the confidentiality, integrity and
availability of information which is held in locations by suppliers and other agencies that are
outside of the Council’s ISMS scope by ensuring robust procurement processes, contractual
and information sharing agreements are in place.
1.4
Company Stakeholders
Derbyshire County Council delivers services for people of all ages in every community
across the county. Many, but not all, of these services are required due to legal,
statutory or regulatory requirements. Much of the information and data which is held
and/or generated by delivering these services is subject to protection under the Data
Protection Act 1998 and the Council works to ensure that this information is protected
at all times. The Council’s information asset risk management strategy has identified
and appointed information asset Risk Owners from all departments. Risks to
Version 4.0
Derbyshire County Council ISO27001 Scope
5
PUBLIC
Information assets are recorded in departmental Asset Registers and managed under
the Council’s Information Security Management System (ISMS).
1.5
Key Business Risk Owners
Key business processes include:
Ref
Asset Owner
Department
1.5.1
Graham Woodhouse
Adult Care
1.5.2
David Gurney
Adult Care
1.5.3
Karen Gurney
Children and Younger Adults’
1.5.4
Martin Stone
Children and Younger Adults’
1.5.5
Robert Taylour
Health and Communities
1.5.6
Don Gibbs
Health and Communities
1.5.7
Mags Young
Chief Executives
1.5.8
James Luckraft (DBC)
Corporate Resources
1.5.9
Peter Handford
Corporate Resources
1.5.10
Jeremy Goacher
Corporate Resources
1.5.11
David Jenkins
Health and Communities
1.5.12
Sally Goodwin
Health and Communities
1.5.13
Angela Glithero
Economy, Transport and
Environment
1.5.14
James Luckraft
Corporate Resources
1.5.15
Simon Hobbs
Corporate Resources
1.5.16
Elaine Michel
Health and Communities
1.5.17
Hayley Lever
Health and Communities
1.5.18
Carol Brown
Corporate Resources
1.5.19
Cliff York
Corporate Resources
1.5.1 Graham Woodhouse
Head of Finance, Adult Care.
Responsible for Adult Care financial client files, finance staff and finance
systems.
1.5.2 David Gurney
Group Manager (Performance).
Responsible for Adult Care fieldwork and direct care staff, client data held in
electronic and paper form, non-financial systems and residential and day care
establishments.
1.5.3 Karen Gurney
Deputy Head of Finance, Children and Younger Adults’.
Responsible for Children and Younger Adults’ financial electronic and paper files,
finance staff and finance systems.
Version 4.0
Derbyshire County Council ISO27001 Scope
6
PUBLIC
1.5.4 Martin Stone
Team Manager, Information & ICT, Children and Younger Adults’.
Responsible for Data Management and Information Governance for Children
and Younger Adults’ staff.
1.5.5 Robert Taylour
Assistant Director, Health and Communities. Head of Trading Standards.
Responsible for Trading Standards staff and IT systems. Also responsible for
hardcopy case files and evidence files.
1.5.6 Don Gibbs
Service Director, Health and Communities. Head of Libraries & Heritage.
Responsible for libraries, library management system and user data. Also
responsible for museum artifacts, Derbyshire Records office, physical archives,
book stocks and Arts website.
1.5.7 Mags Young
Assistant Chief Executive, Chief Executives.
Responsible for electronically held data such as systems used by Public
Relations, Complaints, Citizens personal data, Members’ Casework system and
Communications personnel.
1.5.8 James Luckraft
HR Service Partner, Corporate Resources.
Responsible for the Derbyshire Business Centre which prints out the majority of
the Council’s mailings, payslips, staff rotas, P60s and pension files. Also
responsible for the delivery and dispatch of post, photocopying, press equipment
and multi-function devices.
1.5.9 Peter Handford
Director of Finance, Corporate Resources.
Responsible for all corporate financial systems, personal data held electronically
on those system, paper based pension files and other paper based financial
records including invoicing. Also responsible for risk and insurance.
1.5.10 Jeremy Goacher
Director of Property, Corporate Resources.
Responsible for all council premises excluding residential establishments, asset
management and job management systems, various files and databases used
by Property Services and paper files relating to drawings, invoices and planning.
1.5.11 David Jenkins
Corporate Records Manager, Health and Communities.
Responsible for hardcopy offsite storage documents, records management
within the Electronic Document and Records Management system, records
management procedural framework, archive records and the Record Office
cataloguing system.
1.5.12 Sally Goodwin
Assistant Director (Community Safety), Health and Communities.
Version 4.0
Derbyshire County Council ISO27001 Scope
7
PUBLIC
Responsible for the Council’s Business Continuity and Emergency plans and
associated underpinning data and Domestic Violence personal data. Also
responsible for the Council’s security key system.
1.5.13 Angela Glithero
Assistant Director Economy, Transport and Environment (Resources &
Improvement).
Responsible for Environmental Services mobile devices, specialist technical
equipment, protective monitoring systems, departmental ICT systems,
personnel, some properties and the vehicle fleet.
1.5.14 James Luckraft
HR Service Partner, Corporate Resources.
Responsible for HR System, HR personnel files, medical
accident/assault records and corporate learning and development.
records,
1.5.15 Simon Hobbs
Assistant Director Legal Services, Corporate Resources.
Responsible for Legal Services IT System and associated paper files, Council
minutes and reports, general office personal information and financial details and
the Registration Service.
1.5.16 Elaine Michel
Director of Public Health, Health and Communities.
Responsible for Public Health staff, Public Health and Knowledge Services
Teams personnel information. Also responsible for Public Health Births and
Mortality files, Derbyshire Health United Care Home and Rightcare Contacts
information and other data held and shared from and to the NHS.
1.5.17 Hayley Lever
Director of Derbyshire Sport, Health and Communities.
Responsible for Derbyshire Sport staff, electronically held data such as Sports
Programme personal data, Sport Award Application personal data, website and
database content management.
1.5.18 Carol Brown
Assistant Director Transformation (Customer Services), Corporate Resources.
Responsible for the Corporate Service Desk, the Council’s PC and Laptop
estate, equipment commissioning and disposals and the definitive software
library.
1.5.19 Cliff York
Assistant Director Transformation (Infrastructure), Corporate Resources.
Responsible for the Council’s Data Centres, servers, networks, technical
specialists, internet, email, telephony, security incident management, business
continuity, offsite storage for electronic data and support and maintenance
contracts for equipment.
1.6
Company Structure
The company structure can be observed in Appendix 1
Version 4.0
Derbyshire County Council ISO27001 Scope
8
PUBLIC
Derbyshire County Council employs a workforce of over 16,000 to collect and process
information to enable the delivery of the above services. The Council is also responsible for
the employment and pension information for both the current workforce and retired
employees.
1.7
Geographical and Physical
There are approximately 200 key office locations and Derbyshire County Council employees
can also work from home or as mobile workers.
The table below identifies where information assets can be located:
Site
Location
Asset Types
Head Office
County Hall, Matlock
Main Data Centre, all office
equipment and core
information assets.
Other Office
Shand House, Darley
Dale
Secondary Data Centre, office
equipment and information
assets.
Other Office
Chatsworth Hall,
Matlock
Office equipment and
information assets.
Other Office
John Hadfield
House, Matlock
Office equipment and
information assets.
Derbyshire Records Office
Matlock
Office equipment and
information assets.
3 Business Units
Chesterfield, Denby,
Doveholes
Office equipment and
information assets.
8 Highways/Street Lighting
Depots
Various
Office equipment and
information assets.
12 Social Services Area Offices
Various
Office equipment and
information assets.
71 Children and Family
Centres/Homes
Various
Office equipment and
information assets.
46 Branch Libraries
Various
Office equipment and
information assets.
26 Homes for Older People
Various
Office equipment and
information assets.
24 Day Care Services
Various
Office equipment and
information assets
6 Visitor Centres
Various
Office equipment
Home & Mobile workers
Various
Laptops, Paper information
assets and Digital information
assets on laptops.
Breakdown of Council business activities and end-points:

Supports 423 schools with 8,000 teachers teaching 103,000 children.
Version 4.0
Derbyshire County Council ISO27001 Scope
9
PUBLIC

















1.8
Run 54 children’s centres and support 137 day nurseries, 157 pre-schools, 137
out of school clubs, 2 creches, 26 holiday scheme and 697 childminders
providing early years support.
Run 7 Youth Resource Centres and 16 mobile youth units.
Support 415 foster carers, run 9 children’s homes, 7 family support centres and
1 residential respite care home looking after more than 600 vulnerable children.
Help more than 25,832 vulnerable and older people to live at home through
directly provided services, housing-related support and services through the
independent and voluntary sector.
Support 3,223 people in residential care.
Assist 1,409 people to arrange their own services through Direct Payments.
Maintain 3,100 miles of roads, 1,063 bridges, 3,216 miles of public rights of
way ad over 88,000 street columns which have more than 92,000 street lights.
Operate a gritting route that covers 1,500 miles, 50% of our roads each year.
Run 46 branch libraries, 12 mobile libraries, 1 museum, the records office and
issue approximately 4.5 million items each year.
Manage 5 country parks, 6 visitor centres, own 10 nature reserves and provide
positive contributions at 352 local sites.
Dispose and recycle more than 400,000 tonnes of waste each year.
Manage a network of 468 miles of multi user trails/greenways.
Provide 270 school crossing patrols.
Have 1,200 businesses that are members on our Trusted Trader scheme, with
feedback from over 16,000 consumers using the scheme each year.
Provide trading standards advice to 5,816 businesses and members of the
public each year.
Manage over a million transactions to Call Derbyshire annually and have over
100,000 visitors to our website each month.
Respond to approximately 400 emergency planning incidents each year.
Information Security Objectives
Business Objectives are documented in the Corporate Business Plan.
In addition to Business Objectives, Information Security Objectives are also set. These are
discussed in the Information Governance Group Terms of Reference. The Terms of
Reference are due for review in due course and this policy will then be updated accordingly.
Terms of Reference
The Council’s Information Governance Group manage and review the Council’s Information
Security Management System (ISMS) to ensure its continuing suitability, adequacy and
effectiveness. This shall include identifying opportunities for continuous improvement and
the need for change.
Version 4.0
Derbyshire County Council ISO27001 Scope
10
PUBLIC
Review, monitor, publicise and ensure the continuous development of effective information
security related policies, procedures and guidelines.
Ensure information security communications and awareness training is effective.
Ensure the Council remains compliant with information security legislation, regulations, best
practice and contractual obligations.
Ensure the Council’s systems and processes are secure, fit for purpose and the Council is
able to work collaboratively with third parties and exchange information with those third
parties securely.
Role of the Group:
To develop the Council’s Information Governance work programme to establish good
practice, promote a culture of information security awareness and ensure
improvements to existing processes are implemented.
2. To ensure that an appropriate comprehensive Information Governance framework and
systems are in place throughout the Council in line with national standards.
3. To inform and review the Council’s management and accountability arrangements for
Information Governance.
4. To validate reviews of existing information security policies, procedures and guidelines
and develop responses to new threats as they emerge.
5. To develop and maintain an Information Security Management System which conforms
to the ISO 27001 standard.
6. To raise concerns, risks and issues associated with information security.
7. To establish and support effective communication to ensure that the Council’s
approach to information handling is communicated to all Derbyshire County Council
employees, including elected members, partner agencies, contractors and vendors with
access to Council systems and made available to the public.
8. To coordinate the activities of employees given data protection, confidentiality, security,
information quality, records management and Freedom of Information responsibilities.
9. To offer support, advice and guidance to the Caldicott Function and Data Protection
programme within the Council.
10. To monitor the Council’s information handling activities to ensure compliance with law
and guidance.
11. To ensure that security awareness training is made available by the Council and is
taken up by staff as necessary to support their role.
12. To provide a focal point for the resolution and/or discussion of Information Governance
issues.
1.
Membership:
The membership of the Information Governance Group will be:





Strategic Director of Corporate Resources as Chair
Director of Transformation
One senior representative from each service Department
One senior representative from Public Health
One senior representative from Legal, Audit, Communications and HR Services
Members of the Group will:
Version 4.0
Derbyshire County Council ISO27001 Scope
11
PUBLIC








Ensure engagement and awareness of the work of the Information Governance Group
with Strategic Directors/Directors and senior management team
Reflect the views of their department/function and contribute to decision making on
action plans, policy developments and service delivery relating to Information
Governance
Consult with their department/function and contribute views based up on implications for
implementation of Information Governance requirements from their
departmental/function service delivery perspective
Keep departments/functions informed on priorities, developments and decisions
Ensure communication mechanisms are in place within their departments/functions to
ensure information and actions are cascaded throughout the Council
Implement any agreed actions ensuring consistency of approach throughout the Council
Influence actions, behaviours and approaches and promote issues regarding Information
Governance within their department/function
Maintain sensitivity, confidentiality and diplomacy with regard to any proposals
Meetings will be held on a monthly basis (Frequency of meetings will be reviewed on an
annual basis from January 2012).
1.9
Responsibilities for Information Security
Derbyshire County Council specifically reviews Information Security in a dedicated
Forum. The following Employees constitute the forum:















Strategic Director Corporate Resources (Chair);
Director of Transformation;
Information Security Manager;
Adult Care Performance;
Information Children and Younger Adults’;
Assistant Director Economy, Transport and Environment (Resources &
Improvement);
Head of Business Services Health and Communities;
Corporate Records Manager;
Policy Manager Chief Executives;
Business Development Manager Property Services;
Service Development Manager Transformation Service;
Senior HR Consultant;
Solicitor Legal Services;
Principal Auditor;
Public Health representative
All information security related issues and incidents are reported to the Information
Governance Group as part of the Agenda and policies and procedures support incident
reporting and management.
1.10 Monitoring and Review
This document shall be continually monitored and shall be subject to a regular review
which shall take place annually, or when a significant change is made.
Version 4.0
Derbyshire County Council ISO27001 Scope
12