I SOOOO WANT TO KNOW ISO/IEC 27001 for Information Security, Cybersecurity and Privacy Protection
In our medical industries (e.g., life science, medical device, pharma etc.), companies face unique challenges as the world of technology constantly evolves and changes. Ensuring the safety, integrity, and confidentiality of sensitive data, especially health information and donor records, is paramount and critical. Welcome to our introductory blog for information security management systems (ISMS)! In this landscape, international standards along with regulatory requirements from the Food and Drug Administration (FDA) play critical roles in shaping robust information security and compliance frameworks. Let’s dive in!
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) together form the specialized system for worldwide standardization [1] . These groups developed ISO/IEC 27001:2022 which provides a framework for organizations to identify and assess information for security risks, implement controls to mitigate the risks, and monitor and review the effectiveness of controls on an ongoing basis [2] . Some of the requirements that organizations must meet when safeguarding their information systems include, but are not limited to, performing risk assessments, managing assets, controlling access, cryptography, and incident management.
Three (3) core principles [2] central to ISO 27001, also known as the “CIA” triad, are used to assess and manage risks within the ISMS. These are:
Confidentiality – protecting information from unauthorized access which involves implementing measures like data encryption, user authentication, access control, and data classification to prevent sensitive information from being seen from unauthorized individuals.
Information Integrity – ensuring that information is accurate, trustworthy, and has not been altered in an unauthorized way. This item involves measures like access controls, data hashing (e.g.,password authentication, electronic signatures, etc.), and validation checks to maintain the accuracy and completeness of data.
Availability of Data – ensuring that information and the systems that process it are accessible and usable when required which is managed through business continuity planning, disaster recovery, and ensuring systems are robust enough to be accessible when needed.
Five (5) basic security principles are the CIA triad plus two (2) additional:
Confidentiality
Integrity
Availability
Authenticity – the process of verifying the identity of users and systems which ensures that a person or system are who they claim to be. This area is where using multiple authentication factors for verification comes in.
Non-repudiation – means transactions can be traced and verified. It provides proof that a specific action was taken by a specific user (audit trail) and holds them accountable for transparency and responsibility.
In addition to the three (3) core principles listed above, this standard includes a total of ten (10) sections with the core clauses (the ISMS framework) listed below:
Clause 4 : Context of the organization – addresses understanding the organization and its interested parties and defining the ISMS scope.
Clause 5 : Leadership – focuses on top management’s commitment, the information security policy, and organizational roles and authorities.
Clause 6 : Planning – includes actions to address risks and opportunities and setting information security objectives.
Clause 7 : Support – covers resources, competence, awareness, communication, and documented information.
Clause 8 : Operation – outlines operational planning and control, risk assessment, and risk treatment.
Clause 9 : Performance evaluation – deals with monitoring, measurement, analysis, internal audits, and management reviews.
Clause 10 : Improvement – requires continual improvement, corrective actions, and nonconformities.
The Annex A Reference Controls provides clarification into Clauses 5 to 8 (which is used in context with 6.1.3) :
Organization controls (Clause 5) – controls related to the management structure, policies, and procedures within an organization
People controls (Clause 6) – controls related to employees’ roles, responsibilities, and security awareness.
Physical controls (Clause 7) – controls that protect physical assets and the environment.
Technological controls (Clause 8) – controls related to the implementation and use of technology.
ISO 27001 provides the systematic approach for organizations to manage sensitive information, encompassing people, processes, and Information Technology (IT) systems. Its core objective is to protect information assets by identifying risks and implementing appropriate controls. With this in mind, we have ISO 27002 which complements ISO 27001 and offers practical guidelines and best practices for selecting and implementing information security controls. Basically, ISO 27001 outlines the “what” and “why”, and ISO 27002 provides the “how” for establishments seeking to safeguard their data.
Tissue banks harmonizing ISO 27001/27002 practices with FDA requirements will find a comprehensive approach to information security and regulatory compliance. By embedding ISO controls into FDA mandated processes, they can:
Strengthen protection of donor and recipient data.
Improve traceability and accountability across the product lifecycle.
Reduce the risk of data breaches and regulatory violations.
Enhance organizational reputation and trust with stakeholders.
By leveraging the best practices in ISO 27001/27002 and aligning them with FDA requirements, establishments can build robust systems that protect sensitive data, ensure product safety, and demonstrate regulatory compliance. In an era of increasing data threats and stringent oversight, such integrated approaches are essential for safeguarding both patient health and organizational integrity.
What are the best practices in ISO 27002? Have you heard of Pen Testing? What is SOC2? Check back as we continue navigating the basics of Information Security Management Systems as one of our industry trends! See you next time!
Reference
[1] ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements