EPCC: certifications for a safe pair of hands

11 January 2024

Data security is at the heart of the services we deliver. Rigorous certification processes ensure we apply best practice to this vital work.

At EPCC we have a long history of running national HPC services and more recently data services. Best practice in service delivery, the highest levels of information security, and extensive preparation to ensure we have appropriate measures in place to minimise disruptions to service, plus tested plans to get us back up and running should the worst happen, are all at the heart of the services we deliver. 

With all of this in mind, we embarked on a programme of work to gain and retain a series of ISO externally-audited standards. 

Information security measures

All of our services involve handling user data and this requires well applied information security measures. 

Data includes the scientific data used to run science simulations by our researchers, commercially sensitive data generated by our commercial customers, and the sets of de-identified medical and administrative data held and analysed in the National Safe Haven.  

We are responsible for ensuring that the appropriate level of technical controls are applied to the data to ensure that only the appropriate people can access the data, the data is undamaged, and is available as agreed with the data owners and to meet their risk appetite. 

ISO 27001: Information Security 

We have implemented ISO 27001 and have been successfully externally audited against it since 2017. Internationally recognised, ISO 27001 is the world’s best known information security standard and we are currently updating to the newest version which has a much greater emphasis on cyber security. We hold ISO 27001 for all the HPC and data services we run. 

In addition we are a Digital Economy Act (DEA) Accredited Processor for the National Safe Haven, an additional external audit of the service we run. The DEA is key legislation in making government administrative data available for research that is approved to be undertaken for the public good, and therefore our accreditation opens the way for such data to be used by researchers.

SO 9001: Quality Management 

Our National Services ARCHER2 and Cirrus have contracts with service-level agreements (SLAs) that we need to meet.  In 2015 we made the decision to pursue and achieve ISO 9001 Quality Management certification for their delivery. ISO 9001 ensures that you design and improve services or products to meet customer requirements and measure customer satisfaction with them. 

ISO 22301: Business Continuity and Disaster Recovery

In addition, in these days of cyber security risks, the risk of disease outbreaks such as Covid and stresses on power supplies, we made the decision to pursue ISO 22301, the Business Continuity and Disaster Recovery standard. This ensures that risks are analysed to identify the highest scoring, measures introduced to mitigate them, and plans made to prioritise remedial work. We gained ISO 22301 certification in 2022 for the ARCHER2 and Cirrus services and for EPCC's Advanced Computing Facility, the datacentre where they are housed.

Continuous improvement

EPCC keeps a continuous focus on information security, business continuity, and service delivery, running annual programmes of continuous improvement and we are externally audited on an annual basis to ensure we continue to apply best practice. The feedback we receive from our users, both academic and commercial, is very good and we pride ourselves on this.