We helped our client from digital health get ISO 27001:2013

ISO (International Organization for Standardization) develops international standards of quality in different areas: information security, privacy, risk management, and many others. In 2018, there were more than 21.584 different standards; right now, there are more. They are important for regulating the quality of various business aspects and manufacturing.

Recently, we helped our client who develops solutions for clinical trials get ISO 27001:2013 certification. That type of certification shows that a company receiving it knows how to establish, maintain, manage information security, and handle its risks.

Why they (and we) bothered with ISO 27001 and why you might want to?

As the epigraph to this article shows, ISO certification is a mark of high quality. ISO certification shows to all your future partners, vendors, and customers: you are not only talking security, you are doing it as well.

This specific standard - ISO 27001:2013 - and certificate our client received after audits show that they handle information security well. This implies: they can do lots of things that are vital for digital health - an industry they’ve operated in. This means, they protect their patients’ data and health information, handle security financial info and network disruptions, and discover cyber threats before they appear, etc.

Market-wise, ISO 27000 certification would be useful not only for the digital health industry. Among the benefits of getting certified there are these (some of them are interconnected):

The image of a secure brand. That sounds like a joke just until you’ve met a partner or a customer that requires you to have an ISO 27001 certification - there are more and more businesses that do that.

Increase trust of customers and prospects. ISO 27001 certification is like a +100 buff to the level of your trustworthiness in the question of data safety, accessibility, and integrity, so it makes a great added value to whatever you’re offering.

Shorter sales cycles. That is especially true for industries where sales cycles are already super long and unbearable, like finance - and in healthcare, if you don’t have ISO, you can’t sell at all — especially if you want to work with clinical organizations. In these fields, stakeholders are always thinking about cyber threats and data leaks, and other unpleasant incidents connected to information security that can - and does - cost them billions. With ISO 27001 certification you’re showing them: we - and our suppliers, vendors, and outsourcing partners - are not like that; we’ll do everything to prevent you from losing money and protect you. That helps them soften a bit.

International recognition. ISO is an international standards organization, so, when getting a certification, you’ll get recognized internationally.

Quicker international adoption. If your company plans to expand internationally - from any place in the world ISO 27001 certification will show people there that you are committed to the continuous improvement of your security practices. It’s a message that tells them: yes, we’re ready to do everything to commit with, for instance, HIPAA regulations - if you’re expanding to the US, or GDPR - if you plan to work in Europe, and there’s evidence - ISO certificate that we know how to deliver on our commitment. That makes everything a bit easier.

Better management & alignment of information security with your business objectives. ISO 27001 certificate is a sign: you nailed your information security in every aspect of your business and it helps you reach your business objectives. It’s adopted in your operations, it’s running in your employees’ veins, and if something changes - you’re ready to take the step to adapt to change with your customers’ and clients’ data safety in mind.

We think that sounds like a beneficial package (with lots of headaches; and migraines.)

ISO 27001:2013: What it’s about?

Well, firstly you need to know that the first step in getting ISO certification is an internal audit. You can do it by yourself or you can hire a consultant to help you figure out ISO 27001 requirements. Let’s briefly discuss what are these contents and what you’ll need to do to adapt to these requirements.

Now, as we’ve already said, this particular ISO standard - ISO 27001:2013 - covers information security. We are calling this framework because the standard offers you to create a specific Information Security Management System (ISMS) that will explain and describe how your organization manages information security risks.

Your adoption and building of this ISMS depend on seven aspects, described within the structure of the program. They’re formulated as the requirements that are centered around the protection of information integrity, availability, and confidentiality.

Context of organization. In that part, you’ll have to establish the scope of ISMS, figure out who will be taking part in maintaining it and who has interests in establishing it. That usually includes internal and external stakeholders (that may come up with specific requirements that concern information security), specific clients, customers, and so on.

Leadership. The previous part leads to making sure your C-board and top management are committed to protecting information within your business. This part is often overlooked because people consider information security issues an IT problem, whereas it must be implemented throughout all organizations: sure, it’s DevOps responsibility to maintain the security of your servers, but it’s management responsibility to organize cybersecurity training.

Planning. Here, you have to outline processes you’ll be using to detect and analyze information risks and how to treat them and clarify the objections of your program, in other words: risk assessment and how to execute it. For instance, while e-commerce and digital health startups may have the same high-level objectives: protect their customers’ (or patients’ data), there are different kinds of data involved and different risks associated with the loss or theft of these data.

Support. Here you’ll have requirements on how to make information available and secure, on competencies that concern maintaining information integrity, confidentiality, and availability, document and records controls. In other words, that’s a complementary clause to planning: everything you need to do to conduct a risk assessment.

Operation. Contains requirements on how you will be operating your security program and what documentation you have to have about it, how you manage changes in your business environment, what you do when facing certain types of information risks, and so on. Here, you will have to do a documented description of your risk assessment and its different practices: for your employees’ and the auditor’s convenience.

Performance evaluation. Requirements on how to figure out if your security management system is working well (spoiler: how to conduct an audit and/or reviews), how to evaluate if controls and processes are good, and requirements on how to improve things when there’s a need to do so.

Improvement. Requirements to be committed to continuously be better and fix things if they’re going wrong (so they’ll never go wrong in that particular way.)

This tedious list comprises clauses 4-10 of ISO 27001:2013 standard, and that’s where your top-level management recommendation will be.

Section 11-18 comprises an Appendix with 114 controls of different aspects of your information security and to figure out all of them, you’ll have to download a standard from the official ISO website (because 114 is a lot.) However, we will briefly describe what each of them is about if you don’t want to spend about $200 right now. Note, that the document is really useful because, while certain parts of it are a bit vague or outdated, most of the controls in the appendix are understandable requirements that you will need - especially if you want to go through certification by yourself.

Now, to Appendix!

Information security policies. An important thing you need to know about the ISO 27001:2013 standard is that every operation, even the minor one, needs a policy, and everything should be documented. This control asks you to create a policy on the whole information security thing that will contain an explanation of what is information security, what are the goals, how do you plan to control it, and so on.

Organizing the information security. Information security has to be managed and there should be a document that outlines who manages what, how confidential information is protected, and who overlooks and updates different documents - for instance, information asset register.

Human resource security. Requirements on a pre-on-boarding evaluation of your employees or suppliers if they have to work with sensitive or confidential information and on employee awareness training concerning how to establish information security and navigate their way out of security incidents.

Asset management. That’s one of our favorite controls. It requires you to create a document that identifies and classifies every information asset your business has and guidelines on how these assets are structured and managed. One of the most important controls in the section, as internal corporate networks are inherently exploitable - especially right now when we’re working remotely.

Interestingly, assets are not only your media, PDF documents, contracts, and other important data you’ve gathered either from your clients, partners, or customers, but your employees, too. The logic goes like that: if John Doe from the software development department is the only one who has the skills to get servers back online when there’s a disruption, if John Doe quits, you’ll lose the ability to control information security. So, John Doe is your invaluable asset and you must have a contingency plan in case he quits or gets a vacation.

Access control. Handles control on assigning different information with different levels of access for your employees and your suppliers. Covers access to the building, working computers, different folders in the network with sensitive info, and so on. Here, you should also outline access termination policies that are applied after the person quits.

Cryptography. Controls on policies that concern maintenance and protection of cryptographic keys (like: if you have a compromised cryptographic key, how do you handle it).

Physical and environmental security. Controls here cover security aspects that can apply to office spaces or spaces where the work is done (e.g.: home), server rooms, and so on. Is there a locked cabinet for confidential files if there are such files? Is there climate control, evacuation plans, plans on what to do if a natural disaster hits?

Operation security. Here, you outline how you execute all other controls in the Appendix. Every procedure must be documented, and it’s better if your organization has a single file that is available to every department, and every department writes what information they have in possession, how it is protected, and how they will react if something happens to it. Also, you (and your employees from different departments) should describe how you handle malware and other cyber threats here, and how you manage and react to changes in the infrastructure.

Note, that a centralized operating procedure guide (that is constantly maintained and updated) is needed not just because it’s just… useful. It’s necessary because it’s very inconvenient to ask for every department to scrape up their document on information security and then combine it in one for analysis when auditing your own business. It’s even more inconvenient if you’re offering seven different guides to an auditor.

Communication security. Controls that tell you to secure data in-rest and in transit, how to protect the network of the organization and software you’re developing, and so on.

System acquisition, development, and maintenance. Controls on everything regarding software development, i.e.: code and code changes. Controls on how the product development should be managed with information security in mind and how to apply ISO 27001 framework to your development environment.

Note, that if you download the document from the ISO website and read it, you’ll see that most recommendations on aligning management, information security practices, and software development will be vaguely reminiscent of waterfall management style which is a bit old, to say the least. However, it’s possible to adopt the essence of the controls - how to install risk assessment and security gap removal - in your agile development framework. This standard has been revised in 2018, but the main parts have been written in 2013 - but that doesn’t mean that security recommendations you’ll find there are inadequate.

Supplier relationships. One of the controls that makes ISO 27007 certification both a good thing for establishing a competitive advantage and a headache. You have to make sure your suppliers - in particular, all people in your supply chain, all vendors, all third-party providers, all companies you’re outsourcing to - are committed to protecting information confidentiality, availability, and integrity at least as passionately as you are.

For healthcare, supplier credibility in terms of information security is a bit of a sore spot if we remember the hundreds of cases where hospitals’ data has been leaked because of the hole in the wall of their EHR. You must oblige your suppliers to be proactive at security, comply with security practices you’re employing, and manage risk in an appropriate and documented way.

Note, that when you’ll get an ISO certification, that wouldn’t mean that all your suppliers and vendors suddenly have one. That means only that they’re as good in security as they are - without international recognition. *wink*

Incident management. Controls that oblige you to document and know how you’ll react to security incidents, how to report them and mitigate their consequences, who is responsible for handling them and reporting about them, and so on.

Business continuity. Policies and controls on recovery operations: how will you behave when coronavirus hits? How do you do disaster recovery? Who and how will get your app back if it’s hit with malware? In other words, what measures and policies are helping you to keep calm and carry on.

Compliance. Policies on handling and complying with clients’ contracts and different regulations that cover your area of business.

How the certification goes and how to prepare for it?

First of all, let’s talk about timelines.

Internal audit. From month to a year

As we’ve already said, the first step to getting ISO certification is an internal audit. Before the internal audit, you’ll have to dive into ISO 27001:2013 requirements and figure out what needs to be done - the scope of work will vary depending on the state of information security in your business. You might want to hire a consultant on this if you’re facing difficulties. The experience of working with them will teach you and your team how to conduct internal audits by yourself which is very useful both for your company, and for your latter ISO certification process. The planning advice is this: if you think installing every control in ISMS will take a month, plan for three.

Don’t forget that an internal audit is your time window to learn how to document every process and make every evidence that some control exists as available as possible. For instance, if you claim that you have installed an access control policy, you need to be able to quickly get a document that specifies access controls within your organization.

Stage 1 Audit. From a day to a week.

Now, ISO doesn’t do audits; it just develops standards. To get certified, you need to contact one of the credible ISO firms. The first stage audit will go like this: they’ll come to you, they read through all documentation, meet the company’s C-level, and set the level of the things they need to check.

Note, that sometimes auditors will have no experience in your industry and you’ll have to explain how information security practices apply to your business model, your relationships with customers, and so on. If you want to avoid cases like this, our advice is to go to firms that position themselves in particular industries (but there’s a possibility that the certification will be more expensive.)

Stage 2 Audit. One-two weeks.

Stage 2 audit is going on-site, so its length depends on the size of your company. If you have, like, departments in three different locations in the country, they’ll have to go to each one, so account for that. On stage too, they’ll dive into all controls that you’ve claimed you’ve established, ask to show them how you implement security both in code, in threat detection, in other words - in all aspects you should. That could be very tiring, but it’s worth it.

Recommendation for certification. They’ll give you the list of improvements if there are some to be implemented.

Certification Review & Decision. They review documents and your processes to check if you’ve complied with their recs, and if you did, you’ll get your ISO 27001:2013 certificate, but this is not the end! Every year for the next three years, an ISO auditor will come to you to check if you are committed to information security. After three years, you’ll get another ISO certificate that will show you are up to continuous information protection.

In general, the whole process takes about six months, with five months covered by internal audit and another one - by ISO firm’s audits.

Frequently asked questions

How much the ISO 27001 certification costs?

Depends on the firm you’ve come to and on the size of your organization. The cost may vary from $10k to, like, $100k.

What if I have security gaps? Will I still get a certificate?

Yes, you will. The thing with business is that it’s always risky. ISO 27001:2013 includes a control that’s called gaps assessment: it requires you to document all flows you have in your framework and how you plan to react if they've been exploited. Another case is that if you have gaps and you haven’t documented them, and haven’t developed plans on how you will remove them—with clear deadlines, outlined, — that auditors will review on their next visit. That, of course, won’t do.

Does ISO certification help with compliance with other regulations?

Yes, ISO is often used to unify different compliance programs in a business. It’s a framework that helps you to adjust your organization’s security to comply with HIPAA, SOC 2, PCI DSS, and so on.

If you have any questions about ISO 27001 certification, contact us. If you want to receive useful info for digital health startups, sign up for our newsletter below.