How we integrated ISO 27001 requirements into our QMS ?

Being a critical supplier to medical device manufacturers and knowing that our software is containing important information, we have always valued information security. In order to formalize this and show that we work according to internationally accepted standards, we decided to implement a full Information Security Management System (ISMS) according to ISO 27001. Integrating this system with our existing ISO management system was essential to ensure a seamless approach to quality and security without redundancy.

When starting the effort of implementing the requirements of this standard, we were wondering about the most efficient way to do this.

Our aim was to fully integrate both management systems in order to avoid duplication or double work.

What was our approach to integrate ISO 27001 into our existing QMS?

1. Analyze and fill the gaps

As a first step we translated the requirements of the standard and the annexes into plain English. This is a good exercise to get an overview and a deeper understanding of the requirements of the standard.

Once we did this, we went through each requirement and made a gap analysis of our existing quality management system against the standard. As a result we updated almost all our processes and added some new ones. We also updated almost half of the work instructions and added a few.

The biggest change was in the area of risk management. We updated 70% of our existing process related risk assessments and also doubled the total number of identified risks.

Another specific activity we had to do for ISO 27001 was to document the company assets.

2. Get a second opinion

Once we had all processes updated, we hired an external specialist to do an internal audit. The audit took 2 days and resulted in 5 recommendations which were easy enough to implement.

3. Use the system

The whole point of integrating the Information Security Management System into our Quality Management System was that we have one system to work with.

Once we had the internal audit done, we started to apply the new or updated processes which resulted in some new records, mainly documenting all assets in the company, and access rights of staff to various assets. Besides that we did ensure that other activities were well documented, e.g. the white hat hacking contests we launched before starting 27001 as part of our performance evaluation process.

4. Certification audit

In our case the surveillance audit for our ISO 13485 certification was combined with the certification audit for ISO 27001 (which makes sense as it's an integrated system). The audit concluded with only two minor non-conformities, and we successfully obtained our new ISO 27001 certificate, reflecting our commitment to robust information security management.

We ended our audit with two minor non-conformities and a brand new ISO 27001 certificate

Why is ISO/IEC 27001 important?

Information security is crucial, particularly in the medical device industry, where the protection of sensitive data is paramount. ISO/IEC 27001, developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is the gold standard for managing information security. It helps organizations protect sensitive data from breaches and cyber threats. For medical device software, which handles confidential patient data and critical clinical information, implementing ISO/IEC 27001 ensures that our systems are robust against attacks, providing peace of mind to clients and their patients. By following these internationally recognized guidelines, and through the risk assessment process, we demonstrate our commitment to maintaining the highest levels of security and integrity in our operations.

Benefits of ISO 27001 certification

Achieving ISO 27001 certification through a recognized certification body brings a host of benefits, especially in the SaMD and SiMD sectors. Firstly, it enhances our reputation by proving our dedication to information security management, building trust with clients and medical device regulators. This builds trust with clients and regulatory bodies. Secondly, it helps us identify and mitigate risks systematically, ensuring continuous protection of sensitive data. Thirdly, it improves operational efficiency by integrating security processes into our existing QMS, reducing duplication of efforts. Finally, being certified makes it easier to comply with various legal and regulatory requirements, facilitating smoother market access and approval processes.

Is ISO 27001 obligatory?

ISO 27001 is not legally obligatory, but it is highly recommended, especially for companies in the Medical Device industry. While regulations like GDPR mandate certain aspects of data protection, ISO 27001 provides a comprehensive framework for managing all aspects of information security. Adopting this standard in your business can significantly boost your compliance posture and competitive edge. For companies developing SaMD and SiMD, implementing ISO 27001 is a proactive step towards ensuring data security and regulatory compliance, ultimately safeguarding patient data and enhancing overall trust in your products in order to have the best services possible.

So how painful was it really?

  • Listing and documenting all assets requires an effort, but it is an interesting exercise to directly link them to risks.

  • Preparing the company for further growth required rethinking some of the processes but we are sure the new training and procedures will be helpful.

We feel that the pain level was actually quite low, since we were able to reuse a lot of our existing procedures from ISO 13485 or GDPR there's not so much additional work to do. Of course that is if you had IT security as one of your main concerns already before the ISO 27001 implementation, if this is not the case it could create a lot of additional work: e.g. organizing and responding to white hacking activities, managing your development, testing and deployment networks, VPNs and access rights to different assets.

If you are thinking about implementing ISO 27001 and want to get a closer look and understanding what the impact was on us, don't hesitate to contact us - we'd be happy to share this with you! 

About the Author
Heather Laducer
Product Marketing Manager