Being a critical supplier to medical device manufacturers and knowing that our software is containing important information, we have always valued information security. In order to formalize this and show that we work according to internationally accepted standards, we decided to implement a full Information Security Management System according to ISO 27001.
When starting the effort of implementing the requirements of this standard, we were wondering about the most efficient way to do this.
Our aim was to fully integrate both management systems in order to avoid duplication or double work.
What was our approach to integrate ISO 27001 into our existing QMS?
1. Analyze and fill the gaps
As a first step we translated the requirements of the standard and the annexes into plain English. This is a good exercise to get an overview and a deeper understanding of the requirements of the standard.
Once we did this, we went through each requirement and made a gap analysis of our existing quality management system against the standard. As a result we updated almost all our processes and added some new ones. We also updated almost half of the work instructions and added a few.
The biggest change was in the area of risk management. We updated 70% of our existing process related risk assessments and also doubled the total number of identified risks.
Another specific activity we had to do for ISO 27001 was to document the company assets.
2. Get a second opinion
Once we had all processes updated, we hired an external specialist to do an internal audit. The audit took 2 days and resulted in 5 recommendations which were easy enough to implement.
3. Use the system
The whole point of integrating the Information Security Management System into our Quality Management System was that we have one system to work with.
Once we had the internal audit done, we started to apply the new or updated processes which resulted in some new records, mainly documenting all assets in the company, and access rights of staff to various assets. Besides that we did ensure that other activities were well documented, e.g. the white hat hacking contests we launched before starting 27001.
4. Certification audit
In our case the surveillance audit for our ISO 13485 certification was combined with the certification audit for ISO 27001 (which makes sense as it's an integrated system).
We ended our audit with two minor non-conformities and a brand new ISO 27001 certificate
So how painful was it really?
- Listing and documenting all assets requires an effort, but it is an interesting exercise to directly link them to risks.
- Preparing the company for further growth required rethinking some of the processes but we are sure the new training and procedures will be helpful.
We feel that the pain level was actually quite low, since we were able to reuse a lot of our existing procedures from ISO 13485 or GDPR there's not so much additional work to do. Of course that is if you had IT security as one of your main concerns already before the ISO 27001 implementation, if this is not the case it could create a lot of additional work: e.g. organizing and responding to white hacking activities, managing your development, testing and deployment networks, VPNs and access rights to different assets.
If you are thinking about implementing ISO 27001 and want to get a closer look and understanding what the impact was on us, don't hesitate to contact us - we'd be happy to share this with you!