Information Security Management

In 2019, Oxford Brookes University achieved the globally recognised information security certification ISO/IEC 27001, as part of its commitment to protecting its information and that of its staff, students and partners.

This certification applies to all staff and associates provided with access to Oxford Brookes' information assets and network services, all information assets and the associated business processes that support the provision of education and ancillary University services.

ISO 27001 certified

The benefits of the ISO 27001 framework

Benefits of the framework are:

  • Colleagues, students and parents can be confident that all University information captured and stored is validated by an internationally recognised framework.
  • It ensures that a common set of policies, procedures and controls are in place to manage any risks to information security and to reduce the number of data breaches.
  • It illustrates the University’s commitment to information security at all levels.
  • Improving the auditing and organisation of University information, making the operation more efficient.
  • A training and awareness programme to help all colleagues, students and key stakeholders understand their responsibilities when handling personal or University data.

Information classification

When creating any form of information on behalf of the University, content owners need to assign it one of the following categories:

Public

Information classed as public

This information can be readily shared and made publicly available with no adverse consequences for any organisation or individual. Typical content might be:

  • news and updates,
  • external website content,
  • most policy documents,
  • published research,
  • published accounts,
  • most personal correspondence.

Restricted access

Information classed as restricted

This information can be shared appropriately with a limited audience, usually but not exclusively within the University. Some of the features attributed to “Confidential” information apply, yet the implications associated with sharing this information are less serious. This information could be financial or commercial value, or be subject to intellectual property, trademark or other legal protection. It would be likely to include what is now called “Personal” Data. Typical content might be:

  • most professional correspondence,
  • individual student marks and feedback,
  • emails and documents containing limited personal data,
  • policy, procedure and planning documents with technical or commercially sensitive information,
  • non-confidential meeting agenda and minutes,
  • pre-publication research data,
  • most financial data.

Confidential

Information classed as confidential

This information has a significant value for Oxford Brookes University, another organisation or individual. Wrongful disclosure could impact the reputation or standing of an organisation or an individual, the safety of an individual or could cause significant financial loss. Information of this type is shared on a “need to know basis” only. This classification will include Special Category of Personal Data as defined in Data Protection Law. Large amounts of datasets of information which would otherwise be classified as “Restricted” were it a smaller amount, may become classified as “Confidential” by merit of the quantity of data involved. If in doubt as to whether a dataset is large, query this with the Information Security team by email using info.sec@brookes.ac.uk 

Typical content might be:

  • emails and documents containing large amounts (200+ records) of student personal data - grades, names and addresses,
  • HR records
  • student wellbeing records
  • emails and documents that include special category personal data of staff and students - race, ethnicity, religion, health, political beliefs, genetic or biometric data, trade union membership, criminal convictions and sexual orientation.
  • materials received from third-parties that are proactively marked as ‘confidential’.

Please take a look at some typical scenarios for classifying work-related information:

Contact us

Information Security Office

Oxford Brookes University
Headington Campus
Gipsy Lane
Oxford OX3 0BP

+ 44 (0) 1865 484354
info.sec@brookes.ac.uk

Useful resources