With healthcare innovation rapidly evolving and AI businesses leveraging vast amounts of confidential data, ISO 27001 stands as a foundation of information security. By adopting this globally recognised standard, businesses can follow a comprehensive framework for Information Security Management, inspiring confidence and assurance in how sensitive information is handled and managed.
In this blog we will explore ISO 27001 and provide practical insights to help businesses leverage this standard to its full potential to provide assurance to healthcare systems globally.
ISO 27001 is an international standard (a document drafted by a group of international experts) that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It outlines a set of activities and methods for maintaining the confidentiality, integrity and availability of your data and information.
ISO 27001 contains a set of guidelines for creating an ISMS – a framework designed to maintain data and information security across an organisation. It has a strong focus on assessing risks related to information security and implementing practical measures to meet and mitigate those risks.
ISO 27001 is split into 10 sections, each containing “Requirements” that organisations need to meet along with an annex which outlines practical controls which may be put into place to help meet these requirements (another standard, ISO 27002, exists to provide more information about these controls to help with implementation).
- Scope: a brief explanation of what the standard is about, and which organisations it could apply to.
- Normative References: other standards you need to read to understand all of ISO 27001.
- Terms and Definitions: a reference to where you can find definitions of terms used in the standard.
None of these three sections place any obligations on organisations to follow the standard; all of the requirements fall into sections 4-10
Section 4 - Context of the Organisation
The first set of requirements in ISO 27001 are about outlining the needs of the organisation, what issues it faces and who are the stakeholders and interested parties (both internal and external). Section 4 is also about setting out the scope of the Information Security Management System (ISMS), including identifying what processes will be needed to make it effective.
Top Tip – all ISO Management System standards were amended in 2024 to address climate change within section 4 – make sure you review and implement this amendment.
Section 5 - Leadership
This section establishes the responsibility of top management in how they oversee and promote the ISMS across the organisation. This includes setting up an Information Security Policy, objectives, and clear Roles and Responsibilities for information security across the organisation.
Section 6 - Planning
This section is about risk assessment and risk treatment. Information security risks should be documented and evaluated, and a process to treat and control those risks should be put in place. Planning also includes making sure objectives are written as these are one of the main ways to measure the effectiveness of the ISMS.
Section 7 - Support
Section 7 covers the resources you need for your ISMS. Mainly this is about ensuring that your people are competent, have awareness of their role within the system and have access to information they need which is both documented and communicated effectively internally.
Section 8 - Operation
Operation is the requirement to carry out the processes that you have defined, particularly in respect to Section 6. This section further establishes the need for security risk assessments and implementation of risk control measures.
Section 9 - Performance Evaluation
This part of the standard lays out the ways in which you should be monitoring how effective the ISMS is. This includes internal audits, which should be planned and performed on a regular schedule to ensure the business is maintaining on-going compliance to requirements. Furthermore, Section 9 requires the organisation to conduct a management review to illustrate to top management how the ISMS is performing relative to its objectives, informing and involving them in any remediation activities which may be required. This must be carried out periodically and many organisations will do this at least annually.
Section 10 - Improvement
Relating closely with Section 9, this section is about the requirements for addressing any issues found with the ISMS and taking steps to correct and improve it. Improvement covers both the need for continual improvement through review and the requirement to document, investigate and set up actions to correct non-conformities within the system.
Any company that handles and processes customer data would benefit from having a well-defined information security system as it’s a great way to help reduce the risk of costly data breaches or loss of critical information. However, in some industries, in particular software (especially SaaS), health care, finance and telecommunications, having ISO 27001 certification could be a requirement from your customers or business partners.
The certification process is typically performed by a certification body, who should have been accredited by a nationally recognised organisation. To get certified, you’ll need to make contact with them and arrange for a schedule of audits where they can confirm that your processes and systems are in compliance with the standard and best practice.
For ISO 27001, this usually requires two initial audits (referred to as Stage 1 and Stage 2), the first having a focus on your documents and procedures, the second being a more thorough review of your processes and staff. This will usually take the form of structured interviews with both your information security/IT team and with some of your staff to ensure there is good awareness of the processes across your business.
Typically, once you’re certified, there will be a three year recertification process. This manifests as two smaller audits (surveillance audits) annually for the first two years, followed by a full and more thorough audit for recertification during year three.
ISO 27001 Certification is not a one-time event – you need to maintain the ISMS to maintain the Certification; which is why it is important you implement your ISMS in a way that is easy to maintain.
Benefits of ISO 27001
The benefits of obtaining ISO 27001 certification include:
- reduced information security risks,
- increased customer trust
- protection from legal issues in the event of a breach
- a competitive advantage in the marketplace.
As an internationally recognized standard, ISO 27001 certification can provide peace of mind to suppliers and customers around the world and its strong reputation can be a major factor in securing contracts and tenders with a wide range of potential customers. Effective information security could also be financially advantageous too, reducing the risk of expensive data loss or security issues.
In addition, certification to ISO 27001 can help you avoid having to complete large and complex cybersecurity questionnaires from potential customers, who may simply recognise your certification as meeting their standards when it comes to information security.
Integration with Other Standards
Other international standards may also be relevant to your organisation. If you’re a medical device or IVD medical device company, then it is likely you will also be implementing ISO 13485. Most management system standards created by ISO are set out in a consistent manner, with many overlapping requirements. For this reason, it is likely to be easy to integrate your ISMS with your QMS into a single system (an Integrated Management System). Another common QMS standard is ISO 9001 which you will also find integrates neatly within a single system, should you choose to be certified to that too.
Another related benefit of ISO 27001, particularly for medical devices that integrate software or communicate with a network (possibly integrating AI, as set out in ISO 42001) is that medical device software require a strong cybersecurity framework and working within your ISMS provides the majority of the work already, so you don’t have to worry about duplication of work.
Need help with ISO 27001?
With experience across a range of management systems, we have the skills and knowledge you need to take your product to market.
We’ll get you from where you are, to where you need to be – with candour, commitment and quality.