Compliance Guide
Become an ISO 27001 certified regulated medical application
ISO 27001 provides a best-practice framework for how an organisation should manage the security of their information and data. This includes all processes and policies relevant to the control and use of data. Certification to ISO 27001 affirms that your Information Security Management System (ISMS) follows all internationally acknowledged best practices to manage risks and preserve the Confidentiality, Integrity and Availability (CIA) of information.
Table of contents
A systematic and holistic approach to risk management
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the recognised system for worldwide standardisation.
'ISO/IEC 27001:2013 certified for managing information security risks' is the central standard in the ISMS family (ISO/IEC 27000), and a standard to which organisations can be audited and certified.
ISO 27001 is technology-neutral, so does not mandate specific tools or solutions. Instead it acts as a checklist for a systematic and holistic approach to risk management, addressing the three key areas for information security: people, processes, and technology.
Managing information security risks
For certification, all areas of security management are audited to ensure the organisation's processes are in line with best practice. This includes:
Information security organisation, policies, and responsibilities
Covering the management framework to ensure information security within the organisation; how policies should be written in the ISMS; and guidance on ensuring all employees and contractors are aware of and fulfil their responsibilities regarding information security.
Asset management
Covering the processes for managing, protecting and securing data assets, as well as methods to ensure data integrity.
Access control
So that authorised persons can get access to information whenever it is needed, whilst ensuring that information cannot be accessed by unauthorised persons.
Encryption
Methods and levels of encryption to ensure the data is unusable even if security is breached.
Physical and environmental security
To prevent unauthorised access and loss, damage or theft of information.
Operations and communications security
To ensure secure collection and storage of data, and the protection of information in networks and the supporting information processing facilities.
Information systems security
To ensure security of information systems across their entire lifecycle.
Supplier relationships
To ensure security is part of all supplier service agreements so that any data accessible to or affected by suppliers is protected.
Incident management and business continuity management
Ensuring appropriate measures are in place to respond to security issues and deal with business disruptions or major changes.
Compliance
To ensure the organisation is in compliance with all applicable legal, statutory, regulatory, and contractual obligations related to information security.
ISO 27701: Integrating privacy with security controls
ISO 27701 is the most recent addition to the ISO 27000 series, and covers requirements for implementation of a Privacy Implementation Management System (PIMS).
The standard sets out guidance on the appropriate technical and organisational measures to meet the requirements of the General Data Protection Regulation (GDPR) for protection of personal data.
In the context of digital healthcare, ISO 27701 has particular relevance regarding medical device quality management systems.
ISO 27701 acts as an extension to ISO 27001 and ISO 27002. It bridges information security management and privacy management — making it the key standard for demonstrating GDPR compliance through technical controls.
Extra Horizon: the foundation for your regulatory compliance
Extra Horizon is certified to ISO 27001 and ISO 27701, as well as many further relevant international standards. In this capacity, the Extra Horizon platform provides the ideal regulatory foundation for faster development and reliable deployment of digital health applications.
Extra Horizon cloud infrastructure uses medical software and services to capture, transmit and analyse data from connected medical devices and apps, all in compliance with security, privacy and regulatory requirements.
Furthermore, to help our customers with compliance and reporting, we share information, best practices, and provide easy access to documentation. This takes most of the burden of MDR/IVDR, GDPR and HIPAA compliance off your shoulders.
Extra Horizon
ISO 27001 & 27701 certified infrastructure for your medical app
By building on Extra Horizon, your digital health application inherits our ISO 27001 and 27701 certified security controls — reducing your own audit burden and accelerating time to market.