In 2020, the SDU eScience Center was the first DeiC HPC center to obtain the ISO 27001 certification – an international standard for information security – following a formal evaluation by an accredited external auditor, DNV (at the time, DNV GL).
The certification demonstrated not only that the software and hardware infrastructures used at the eScience Center are secure, but also that the actual workflows around these services meet the required quality standards. Among other things, ISO 27001 enforces requirements for risk management, documentation of processes, as well as the distribution of roles and responsibilities for information security.
Bjørn Høj Jakobsen, compliance officer at the SDU eScience Center and lead implementer for the certification process, explained at the time (see the full article from 2020 here):
“The uniqueness of our ISO certification is that it is very operational – in the sense that the eScience Center staff has to relate to it on a continuous basis, thereby taking ownership of the product and responsibility for the security. For example, a developer cannot just create an amazing code without also creating the corresponding documentation that comes with it. In this way, our entire production line is continuously aligned with the guidelines that accompany the certification.”
3 years later
Obtaining the first ISO 27001 certification was a very important and difficult milestone, but even harder was to live up to its quality standard for the next 3 years. As part of ISO 27001, external auditors visit your organisation once a year to follow up on the agreed procedures and any suggested improvement. The first and second year, the annual audits are less strict and you cannot lose your certification. However, after three years, a full recertification is needed, and the annual audit will either result in a renewal of your certification or, if the auditors’ review finds that you no longer live up to the requirements, your organisation will lose it.
“After three years, the auditors will go through all your documentation again. In addition, they check if you have been able to stick to a plan. In this sense, the annual vists from the auditors ensure that organisations prioritise information security – you cannot come back after three years with a set of excuses for why you did not have the time or the resources to live up to the requirements,” says Bjørn Høj Jakobsen.
As the eScience Center obtained its certification in 2020, the visit from the external auditors this year, 2023, meant that it was time to renew it. We’re now proud to announce that the center has been re-certified by DNV. Bjørn Høj Jakobsen has been responsible for the certification process.
“It is often said that IT-security, more than anything else, is a culture. Over the past three years, the ISO 27001 certification has become defining for the eScience Center. Much of what has been achieved since then is connected to the fact that we always have the certification in mind – and everyone here knows that they have to think our ISO 27001 certification into their day-to-day operations,” he says.
The urgency of IT-security
In a world where the risk of cyber-attacks and IT related crime has increased considerably over the past 20 years, having a structured framework, which prioritises the effort around security, is clearly a huge advantage. The war in Ukraine has demonstrated that IT-security also has a geopolitical dimension, and it is crucial that public and private institutions, who easily could become geopolitical targets, ensure a high level of information security.
“One of the things that is intrinsic to the ISO 27001 certification is that you need to know all outside connections to the internet, because this is where you in principle could come under attack. In the ISO world this is called access management. And we’re 100% in control of all our assets,” says Bjørn Høj Jakobsen.
Bjørn Høj Jakobsen attributes the SDU eScience Center’s position as a front runner among public institutions in the field to the benefits of being anchored at a university with the possibility of attracting people with a research background and/or a very high level of education:
“At the technical level we are – with the education and background that our people have – next to none,” he says.
Structured framework for security and collaboration
Aside from the guarantee that the eScience Center’s facilities can offer the highest possible level of security, and that there is a continuity in the information security procedures, another advantage that comes with the ISO 27001 stamp of approval is that it makes it easier for the users to collaborate with external partners. This is true both at the individual and at the organisational level.
During the past three years, the eScience Center has been able to enter into a number of Data Processing Agreements (DPAs). A DPA is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data (Source: GDPR-EU). Signing a DPA with a different organisation is by no means a trivial task as it involves many technical, organisational and legal considerations. Nonetheless, the SDU eScience Center currently has signed DPAs with the Region of Southern Denmark, Aalborg University, Copenhagen Business School, Aarhus University and Roskilde University. DPAs with Copenhagen University and IT university of Copenhagen are also on the way and work with Statistics Denmark is in progress. These agreements mean that users affiliated with the named organisations can use the eScience Center’s services to store, analyse, or communicate personal information in compliance with the GDPR regulations.
“With the help of the ISO 27001 certification, we now have the routine and methods in place for making such agreements. This means that whenever we need to establish such agreements with external partners in the future, it will be relatively painless for us,” says Bjørn Høj Jakobsen.
The possibility of collaborating even on sensitive data across different instiutions is an extremely attractive feature for a service provider and one that has opened several doors for the SDU eScience Center. An example is the newly awarded HALRIC project – a collaboration between several members from countries in the EU Interreg Öresund-Kattegat-Skagerrak (ÖKS) region – where the SDU eScience Center will contribute to the development of the so-called Hanseatic Science Cloud (HSC). The ambition of HSC is to be the enabling factor that provides users from the Life Sciences, healthcare, and the tech-sector with a uniform entry point for easy and secure cross-border access to tools for the analysis of, access to, and collaboration on data.