Uppsala University Information Security Management System
The overall aim of the information security work is to maintain a well-balanced information security with regard to the university, coworkers, students etc at the university, as well as the needs of the public. The information security work must strive for both an adequate level of security, ie. to balance risks against costs for protective measures, as well as a controlled security, ie. controlled and executed according to the university’s information security management system (ISMS)[1].
The ISMS of Uppsala university is based on the international and Swedish standard SS-EN ISO/IEC 27001:2017 to conform to the demands in the Swedish Civil Contingencies Agency’s (MSB) directive on the information security in governmental authorities, MSBFS 2020:6.
Download the complete description of the University ISMS (PDF). All guidelines, procedures and checklists can be found in the University's website on Policies and regulations.
The ISMS at the university is described according to the seven sections in ISO27001:2017
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
and is covered by security and safety measures in accordance with ISO27002:2017,
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
The ISMS describes security and safety objectives for which a balanced security level and appropriate security measures must be planned, implemented, followed up and continuously improved when necessary.
Fundamental to the IT and information security, including cyber security and IT security, is a continuous cycle of follow-ups and improvements, often described by the so-called PDCA[1] In Swedish ”Ledningssystem för informationssäkerhet (LIS)”