ISO audit success at EPCC

EPCC prides itself on the HPC and data services it runs. To ensure we continue to apply best practice and improve, we are externally audited annually against three ISO standards:

• ISO 9001 for quality
• ISO 27001 for information security
• ISO 22301 for business continuity and disaster recovery. 

We have recently passed our annual audit against all three standards.

ISO 9001: Quality management systems

ISO 9001 is a universally recognised standard for the services or products an organisation delivers. It looks at how requirements are gathered, how the organisation delivers and improves its offerings, and the collection and use of customer feedback. 

For the ARCHER2 service, the requirements come from the terms in the ARCHER2 contracts with UKRI plus those which our customers and users expect. While, for example, the contract might mandate a response time for service desk queries, we believe in making sure that the timely response is also informative and responsive, thus going over and above what is asked. Positive feedback on the services we run (such as ARCHER2) can be seen from the 99% service desk query feedback that is good, very good or excellent. 

ISO 27001: Information security management systems

This year we migrated from the ten-year-old version of ISO 27001 to the current version, released in 2022. As you can imagine the information security landscape has changed significantly in ten years. 

The new version of the standard has an emphasis on cyber threats and mitigations. EPCC hosts data from a variety of customers, including data that requires the highest levels of security. It is vital that we can be trusted as a safe pair of hands with such data. We are also assessed annually by the Office for National Statistics against the Digital Economy Act as an Accredited Processing Environment for the National Safe Haven, which we run. All the data owners of data hosted by EPCC are welcome to audit the technical security controls and management of their data, and we have just passed an external audit by NHS England for one of their datasets that we host.

ISO 22301: Business continuity management systems

ISO 22301 is a standard related to preventing disasters and being prepared to recover from any that occur while minimising user disruption. We spend significant time testing and improving processes and documentation so that if the worst happens we are prepared. Every two years we run a full-scale scenario test and each time this has highlighted possible improvements which have proved useful. Our most recent test scenario involved a leak of data, and the lessons we learned from it have been used to further tighten security measures.

EPCC will continue to invest in the significant staff time and effort needed to maintain its certifications to ensure we offer the highest possible level of service to our users and customers, and that all data entrusted to us is handled securely and appropriately to meet data owner requirements.