Talk to us!

Ethan Chikowore
Compliance Specialist
Squirrel™ Technical Security

‍

‍

As a healthtech innovator, deal with potential risks on a day-to-day basis, whether you are aware of it or not. You need to build a structure within your organisation to fight these risks, all according to their potential impact. This is where ISO 27001 comes into play!

‍

What does ISO 27001 require?

ISO 27001 is a globally recognised standard for information security developed and published by the International Organisation for Standardisation (ISO). It emphasises information security, confidentiality, integrity, and availability, whilst also covering business functions and improving company culture. 

ISO 27001 is broken down into 7 key areas:

• Organisational Context - What does your company do?
• Leadership and Responsibility - How is your senior leadership involved in your information security practices?
• Planning of Objectives and Processes - What are your objectives and how will you achieve them?
• Training and Support - Do you have the necessary staff and training to effectively implement your ISMS?
• Operations and Execution - Have you put your processes into action?
• Auditing - Did you assess if processes are working in actuality?
• Continual Improvement - What results need to improve?

The guidance from each clause will help you set up for information security. It is important to note that your information security objectives and the internal and external issues in the way of you achieving them will drive your risk approach and what controls you decide to use.

ISO 27001 requires that your company has an Information Security Management System (ISMS) that is monitored and continually improved upon.

‍

What is an ISMS?

The Information Security Management System (ISMS) is the hub for all documentation that helps keep your company secure. This includes, but is not limited to policies, processes, training materials and schedules. It’s essential to understand that your ISMS should be kept in order and up to date for it to work effectively. A convenience of ISO 27001 is that you don't have to document every point from the standard, but you should use it as a tool to reflect on risks relevant to your company. Implementing your ISMS in this way is more practical and logical.

For example, a remote based company would not benefit from having policies and processes of how to work in an office. It would be more beneficial to document the specific situation and risks relevant to their remote working environment. 

How do I set up a Secure ISMS?

A secure ISMS always starts with the acknowledgment of senior management to pursue ISO 27001. For any major project, senior management should be invested for success. To gain approval, staff involved should consider how much allocation will be needed to get the right resources (finances, staff, software etc) for the specific needs of the ISMS and create an executive style presentation (key metrics, evaluation, predictions) that displays how these resources will benefit the company as a whole. Tying the ISMS to your company’s overall success will increase your senior management buy-in.

Once you have the required resources, it’s time to put your project in motion:

• Set your information security objectives in alliance with company goals and context.
• Have a clear communication plan to streamline the delivery of the objectives and relevant documentation to staff. 
• Schedule your management and risk reviews to keep your ISMS on track.
• Monitor and audit processes to ensure they are working smoothly and document any improvements needed.

‍

An Investment for Success

ISO 27001 is a necessary and valuable investment, giving your company a competitive advantage in the market. It opens the doors to building more business partnerships with larger companies who have adopted the standard, and/or require it, especially if you are wanting to sell to the NHS. It proves that you are reliable and value information security whilst setting your company up for global reach. Furthermore, being ISO 27001 certified and having an ISMS can accelerate the process to becoming compliant with the NHS DTAC (Digital Technology Assessment Criteria), with your documentation being interchangeable with the technical security and data protection DTAC domains.

‍

So want to start your ISO 27001 journey?

Book a free discovery call with us today! We will support you along each stage of implementation with expert guidance on the best way to achieve compliance. Tune in for our next blog as we do a deep dive on the ISO 27001 audit process and how to make it less painful.