Risks are a constant part of everyday life, from crossing the road to making a simple cup of tea. That’s why no matter whether you are a global company or a small startup, risks should always be considered so you can determine a robust course of action to minimise impact. Standards like ISO 27001, help you to understand the different types of security risks out there, as well as setting up the right structure to deal with them effectively.  Let’s dive deeper into ISO 27001 down below.

‍

What is ISO 27001?

ISO 27001 is a globally recognised standard produced by ISO (International Organisation for Standardisation) empowering companies to develop secure Information Security Management Systems (ISMSs). Just like the DTAC regulation, ISO 27001 serves as a guideline that, followed well, will ensure you establish appropriate technical and controls, to maintain security and therefore protect data whilst conforming with legal requirements. Crucially, ISO asks that you continue to invest in security over time to achieve continual improvement across your systems and processes.

‍

ISO 27001 as an Essential ingredient for Healthtech success

Whilst ISO 27001 represents a large investment of time and resources, it can absolutely give your company a competitive advantage and will be a requirement if you're to work with larger organisations who have already adopted the standard. With ISO 27001’s global recognition, complying with this standard makes clients and partners like the NHS more assured of your security practices, controls, and awareness.

Furthermore, if you're already DTAC compliant, you'll already have some of the required evidence that can count towards ISO 27001.

‍

So how do I set up a secure ISMS?

The most important first step in setting up an ISMS is buy-in. As mentioned it is a serious endeavour and it will take a team effort to implement. As well as setting up and implementing the required governance and processes, training staff, and creating the framework for your ISMS, you will need to perform a thorough risk assessment against all aspects of the standard you've identified as applicable to you.

Dependent on the identified risks to your information security, you'll be asked to consider the controls in Annex A of ISO 27001's counterpart, ISO 27002!

ISO 27002 provides guidance on how to address specific risk types and a large part of an ISO 27001 implementation will need to focus on selecting appropriate controls and maturing their impact so as to increase your security posture.

Let's take a deeper look into that...

‍

From the recent revision of the standard in 2022, there are 4 sets of controls:

Organisational controls

This section mainly covers remediations for risk including: identity management, roles and responsibilities, and information security policies. Organisational controls help to set the main governance that will help the smooth running information security within the company.

‍

Technical controls

Technical controls consist of backup tools, detection systems, firewalls and log tools. This also includes the controls such as penetration testing, vulnerability scanning and also secured development practices, which combined can limit your attack surface to help protect the confidentiality, integrity and availability of your organisation's data.

‍

People controls

These controls focus on various people-related aspects of your business, including hiring processes, terms of employment, employee onboarding and staff role changes. The main focus is on the people within a company to make sure they are competent and understand information security.

‍

Physical controls

This section focuses on controls including clear desk policy, authorised access to physical sites, removing physically stored media and how to dispose of it, even whether air conditioning units and fire extinguishers in physical locations are being maintained. As you can see, most of these controls are non-technical and focus on the parameters outside of systems and computers.

‍

ISO 27001 certification

Once you've set up your ISMS, selected appropriate controls and have tangible evidence of those controls being effective, it's time to consider ISO 27001 certification - the goal of implementing the standard!

This will involve an internal audit of your ISMS before an external audit(s) which for 1st time certifications will involve a stage 1 audit (documentation review) and a stage 2 audit (deep dive into your ISMS and sampling of the controls you have in place).

All going well, you'll pass ISO 27001, receive the certification and multiply your competitive advantage. And if you're looking for assistance with this do contact us! This is where Acorn Compliance and our automated compliance platform Squirrel™ can assist! And if you work with Acorn Compliance, we'll guarantee you pass those external audits first time.

So book your free discovery call and let's have a chat about how we can help you achieve your compliance goals for ISO 27001 and beyond! We can even advise you on how to build a compliance roadmap that aligns to your market strategy and covers the appropriate aspects of compliance that you need to cover and when. Approaching compliance in a smart and structured way, you'll be able to remove duplication of effort and hit your compliance and regulatory goals like a pro!

Book your free discovery call today