ISO 27001 based Information Security Management System (ISMS)

Organizations and their information systems and networks are exposed with security threats such as fraud, espionage, fire, flood and sabotage from a wide range of sources. The increasing number of security breaches has led to increasing information security concerns among organizations worldwide.

Security is like a chain. It is only as strong as its weakest link.

An Information Security Management System (ISMS) is a systematic and structured approach to managing information so that it remains secure. ISMS implementation includes policies, processes, procedures, organizational structures and software and hardware functions.

The ISMS is analogous to a Quality Management System (QMS) as provided for in the ISO 13485 standard that medical device manufacturers are familiar with but with the goal of managing information security in a systematic way rather than quality.

The following are key factors within an ISMS:

Confidentiality: Protecting information from unauthorized parties
Integrity: Protecting information from modification by unauthorized users
Availability: Making the information available to authorized users

An ISMS is relevant to all organisations regardless of whether they utilise stand-alone computers or complex heterogenic network systems.

In the medical devices sector, there is a potential for harm to patients and operators and this introduces a new dimension to information security. Risk Management in medical devices seeks to minimise risk of harm to patients and personnel. Where hazardous situations can be caused by information security breaches, either through data integrity corruption or from lack of availability of data when it is needed, then an ISMS is the best mitigation because it provides a systematic approach to the management of information security.

MDProject consultants are specialists in developing Information Security Management Systems in the medical devices sector. We have supported several medical device companies with the set-up of an ISMS system (based on ISO 27001), typically integrating the specific ISMS requirements into an ISO 13485 and / or MDD based quality management system.

In addition, we can provide training on this topic, or conduct internal audits taking into account ISO 13485, MDD and ISO 27001 requirements at the same time.