Risks are a constant part of everyday life, from crossing the road to making a simple cup of tea. That’s why no matter whether you are a global company or a small startup, risks should always be considered in order to navigate them with ease. Standards like ISO 27001, help you to understand the different types of risks out there such as external risks and internal risks, as well as setting up the right structure to deal with them.  Let’s dive deeper into ISO 27001 down below.

‍

What is ISO 27001?

ISO 27001 is a globally recognised standard produced by ISO (International Organisation for Standardisation) empowering companies to develop secure Information Security Management Systems (ISMSs). Just like the DTAC regulation, ISO 27001 serves as a guideline for technical assurance through auditing of technical controls in place and data protection through policy making and procedures such as Software Development Lifecycle. Primarily, the standard transforms information security, highlighting the need to protect valuable assets which is key for healthtech startups and innovators as the NHS and standards like HIPAA take information security very seriously.

‍

ISO 27001 is Essential for Success

ISO 27001 is one of the first steps you need to take to set your company apart in the competitive healthtech market. With ISO 27001’s global recognition, complying with this standard makes clients and partners like the NHS more assured of your security practices, controls, and awareness. For potential investors, it increases their buy-in and the likelihood that they may invest in your company. 

‍

So how do I set up a secure ISMS?

The first steps to creating a secure ISMS start with a company overview and an assessment of the issues your company is facing internally and externally. These are later matched with the controls necessary to be used.…

With ISO 27001 containing 10 clauses and 93 controls, every control doesn’t have to be utilised by your company. It is crucial to understand all of these controls and select which ones you need to mitigate your specific risks and to be able to explain this in the Statement of Applicability. The statement of applicability is a document used to outline the controls you deem necessary to use for your information security. This is a crucial document for running an ISMS and displays great awareness.

From the recent revision of the standard in 2022, there are 4 sets of controls:

‍

Organisational

This section mainly covers areas like identity management, roles and responsibilities, and information security policies. Organisation controls help to set the main structure of information security within the company particularly through policies and procedures.

‍

Technical

Technical controls consist of backup tools, detection systems, firewalls and log tools. This includes the main tools that are going to be used within the ISMS, to protect the data and also for software development. These mainly entail preventative tools (tools that help prevent an attack) such as Firewalls and Intrusion Prevention Systems to detective tools (tools that help detect an attack in motion) like Intrusion Detection Systems and Vulnerability Scanning.

‍

People

This section involves hiring processes, terms of employment, and onboarding. The main focus is on the people within a company to make sure they are competent and understand information security. This is usually assessed through a competency matrix, which looks at each employee within your organisation, assesses how qualified they are and where they may need training. From this data, companies can structure training around the needs of their employees and get effective results. The competency matrix also helps to structure your ISMS assigned roles and responsibilities.

‍

Physical

This section focuses on the controls that are placed around having a clear desk, authorised access to physical sites, removing physically stored media and how to dispose of it. Most of these controls are non-technical and focus on the parameters outside of systems and computers.

It is important to know which controls work for your company’s needs, always match your risks to what controls you will use. For example, if your whole team works remotely, then there is no need to use physical controls such as mantraps or CCTVs.

‍

How can we start our process to compliance?

Choosing the right compliance solution can be a very daunting process and does require some thinking before going ahead.

Some companies may be at the start of building their ISMS, whereas others may be already halfway through. So Self-awareness is really key in your decision making.

As you may know, there are many compliance consultants, third parties, and vendors who can help you build a Information Security Management System (ISMS) and become compliant with various regulations and standards. However, many of them cost an arm and a leg, which simply doesn’t work for most startups. Having spent an entire fortune on compliance implementation isn’t really a great start.

At Acorn Compliance, we are pro-startup and innovator friendly. We offer incredibly affordable pricing plans for startups and innovators so you can spend less time worrying about getting compliant and more time on your incredible products and getting into the market. Our trusted and experienced team is ready to help answer any queries you may have, whether that be relating to our pricing plans, subscriptions or our ISO 27001 and DTAC AI.

Book a free discovery call. 

‍