Document No.

ISMS/DOP/001

IT Operations

Documented Operating
Procedures
1. Approval and Authorisation
Completion of the following signature blocks signifies the review and approval of this Process

Name

Job Title

Authored by:<Name>

Network/Systems Supervisor

Approved by:<Name>

Information Security Officer

Authorised by:<Name>

Finance & IT Director

Signature

Date
13th. November, 01

2. Change History
Version

Date

Reason

th

Draft 1.0

8 . September,01

First draft for comments

Version 1.0

13th. November, 2001

First Version

334911729

<Date>

Uncontrolled Copy When Printed

Page 1 of 10

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
3. Contents
1.

Approval and Authorisation....................................................................................1

2.

Change History........................................................................................................ 1

3.

Contents...................................................................................................................2

4.

Definitions Used in this Report ..............................................................................3

5.

Document Referred..................................................................................................3

6.

Document Operating Procedures...........................................................................4

7.

Document Control....................................................................................................5

Securitry of Documentation....................................................................................5

9.

Project Documentation Details...............................................................................7

10. Operational procedures Documents......................................................................8

11. Appendix 1............................................................................................................. 10

334911729 <Date>

Page 2 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
4. Definitions in this report
Trust
LAROC
SoA
ISMS
RA

xxxxxx NHS Trust

Name of the Trust Network System
Statement of Applicability
Information Security Management System
Risk Assessment

334911729 <Date>

Page 3 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
5. Documented Operating Procedures
Objective
The purpose of this document is to give a broad outline of the various aspects of Information Security
Procedures, guiding the users to more specific processes applicable to the systems used in the NHS
Purchasing and Supply Trust.
Process
Following steps are taken to identify and document the control objectives and security controls in the
Information Security Policy approved by senior management:

a)

Evidence of the actions:

1
2
3
4
5

The information security policy is defined in the ISMS

The scope of the information security management is defined in ISMS
A preliminary risk assessment is and subsequent controls are identified in this document.
A full risk assessment is undertaken by specialist consultant to determine the degree of
risks and the results will be included in the RA document.
The area of risk to be managed are identified and explained in the risk matrix in RA
Appropriate security controls are selected and procedures/methods are documented as
below:
Security organisation document ref. .
Asset classification and control document ref.
Personnel security SoA ;document ref..
Physical security SoA ; document ref..
Access control SoA ; document ref..
Business continuity SoA ; document ref..
Compliance and audit SoA ; document ref.

b)

A summary of the management framework - including:

1.
2.
3.
4.
c)
d)

information security policy document as in 6a

control objectives and implemented controls as in 6a
statement of applicability SoA ; document ref ISMS/SOA/001
management forum document ref. ISMS section 6.1

Procedures to implement the security controls are documented independently and listed in
section 6a above
Management procedures are documented in two sections:

1. Security organisation ISMS document ref..

2. Operations management ISMS document ref.

334911729 <Date>

Page 4 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures

7. Document control
Objective
To ensure that documents in use in connection with ISMS project are controlled in a systematic
manner.
Responsibilities
The IT Operations manager shall ensure that all ISMS project documents are controlled and that
proper records are maintained
Process

1. correspondence documents consist of all the general correspondence of the project:

Copies of all outgoing and incoming mail of all correspondence shall be retained in the project
file(s)
The circulation of all correspondence shall be annotated as being, confidential, for
information, action or discussion
Individual IT staff may maintain working files but these should not retain original documents.

2. project documentation shall include:

a)
b)
c)
d)
e)
f)

project reports and plans

technical reports
specifications
instructions
computerised data
controlled documents

3. controlled documents shall be clearly identified according to this procedure and recorded. Use
of non-controlled documents shall be strictly limited.

4. All reports, logs, forms and procedures created by the IT Operations shall be signed and
controlled in accordance with this procedure

5. All manufacturers original instruction manuals shall be retained by the IT Operations.

334911729 <Date>

Page 5 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures

8. Security of Documentation - Record Keeping

Objective
To define and describe the procedure for managing ISMS records
Process
This procedure covers the identification, logging and preparation of records for submission to central
archive.
All paper records related to the ISMS shall be kept in a fire safe and will be available for inspection
upon request from IT Operations manager.
All electronic records related to the ISMS will be available on the Trusts network server in a secure
folder with READ ONLY access
A second copy of documents related to the ISMS will be available on a CD as a backup and will be
kept off site
Uncontrolled copies of documents relating to information security management will be available on the
Trusts Intranet to authorised users
Documents shall be registered and be retained for not less than 3 years
Where records have been reviewed and subsequently destroyed, this shall be noted in a register held
by IT operations

334911729 <Date>

Page 6 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
9. Project Documentation Details:
Document nameReference
number
Implementation
Information
Security Policy
Welcome Pack

Issue
number

Date
issued

Approved

Change
request

BS7799-2 Document
Ref.
owner

Helpdesk
Procedures
Information
Security Risk
Assessment
Statement of
Applicability
IT Security Audit
Plans and
Records
Audit Strategy

334911729 <Date>

Page 7 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
10. Operational Procedures Documents
Document Name

Document Ref.

Change
Request

Issue
No.

Date Issued Document

Owner

Approved

Secure Disposal or
Re-use of
Equipment
Management of
Removable
Computer Media
Removal of Property
Terminal Log-on
Event Logging
Monitoring System
Use
Documented
Operating
Procedures
Operator Log
Fault Logging
Security of System
Documentation
Controls Against
Malicious Software
User Registration
Business Continuity
Management
process
Business Continuity
and Impact Analysis
Writing and
Implementing
Continuity Plans
Business Continuity
Planning Framework
Testing, Maintaining
and Re-Assessing
Business Continuity
Plans
Disposal of Media
Information Handling
Procedures
User Authentication
for External
Connections
Operational Change
Control
Information Backup

334911729 <Date>

Page 8 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
Information Security
Policy Document
Data Protection and
Privacy of Personal
Information
Power Supplies
Cabling Security
Including Security in
Job Responsibilities
Equipment Siting
and Protection
Policy on Use of
Network Services
Mobile Computing
Teleworking
Incident
Management
Procedures
Access Control
Policy
Privilege
Management
Security of
Equipment Offpremises
Enforced Path
Network Routing
Control
Equipment
Maintenance
Security of Network
Services

334911729 <Date>

Page 9 of 10

Uncontrolled Copy When Printed

Document No.
ISMS/DOP/001

IT Operations

Documented Operating
Procedures
Appendix 1 - Document Owners
Initials

Full name

Responsibilities
(Example)

Location

Helpdesk Administrator
Facility Manager
Data Protection Officer
Network Systems
Supervisor
IT Operations Manager
Information Security
Consultant
Technical Support Officer
Director of Finance & IT
Helpdesk Manager
Infrastructure Manager

334911729 <Date>

Page 10 of 10

Uncontrolled Copy When Printed