SBS - The Best Value in QMS software

Implementation of ISO 27001 as part of the GDPR compliance journey

#1
Hello everyone,

I currently work for a start-up company who develops a class IIa active monitoring medical device. The system will process sensitive personal data concerning health from patients at the hospital, hence we fall under the scope of the GDPR.
It is not yet on the market, which leaves us some time. We are currently working on getting the device CE-marked.

I recently became aware that implementing the ISO 27001 standard (“Information security management”) would be an interesting start in our GDPR compliance path, since it would give us a framework and help us comply with about 75-80% of the GDPR.
I have been learning a lot on the subject ever since, but I still have a few questions in mind, and was hoping that we could start a discussion around the topic.

- First of all, any general experience feedback would be appreciated on the question. If your company implemented ISO 27001 as part of GDPR compliance, or on its own, any impression or piece of advice would be very welcome.
- I am mainly trying to assess the effort needed to get ISO 27001 certified right now, but I understand it might depend on several parameters such as the size of our company (we’re only 7 employees), our budget, the time we have to comply, and simply what is the gap between where we stand right now with our Information Security Management System (ISMS; which is basically inexistent at the moment).
- The budget is quite a concern of mine, since I didn’t find two sources mentioning the same range of investment; it went from 5000€ to 100,000€. Once again it might depend on the factors mentioned above, but any feedback on the external costs would be welcome (consultancy + certification), especially for a small company.
- Then we can also wonder if going for the certification itself would be really necessary. From my perspective, it would be “too bad” to go through these efforts and not get certified, since it could be quite a compliance and competitive advantage.
- The time spent on such a project is also something I fail at assessing in an accurate manner right now, but I get the idea that this will be naturally quite a big project, not something that takes a few weeks.
- I was wondering if anybody did use the ISO 27002 (“Security techniques – Code of practice for information security controls”; which as I understand it is more of a detailed guidance on the ISO 27001 Annex A controls) and BS 10012 (“Personal Information Management”). Although I understand the relevance of the ISO 27002 in this context, would the BS 10012 be redundant if we are already looking at ISO 27001?
- Finally, I’ve even been wondering about the relevance of such a project for a small company like ours. If we have a Data Protection Officer (DPO) for example, would that guide us enough on our compliance journey? Or would you still advise a small structure to go for ISO 27001 anyway (since the framework would be very concrete then)? It can get quite confusing.

I am looking forward some feedbacks on your experience with this topic. Thanks a lot!

Laura
 
Elsmar Forum Sponsor
R

Rajesh Satam

#2
Hi Laura, as per information you have provided , it seems implementing ISMS or ISO 27001 may not be that difficult assuming the size of your organisation. ISMS is the first step you need to take if you want to get your organisation certified.
I don't have any practical experience in GDPR implementation but can certainly help you with ISO 27001 implementation.
 
#3
Hi Laura:

I am currently engaged in ISO 27001 implementation. You don't say where you are located, but ITG have a good white paper called "9 Steps to Success". It's a little heavyweight for small businesses, but has some good advice.

On the budget side, it's going to cost whatever you need to pay for. It's going to be very dependent upon what your "scope" is - what information you need to keep secure (it's not always just electronic form info) and what controls are necessary from the Annex A list. How you determine those is by creating a "statement of applicability". Do a Gap Analysis (I used a free form from www.iso27001security.com) and also using ISO 27002.
 
Thread starter Similar threads Forum Replies Date
R ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 3
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A ISO 27001 Implementation in the Automotive Industry IEC 27001 - Information Security Management Systems (ISMS) 10
A ISO 27001:2005 ISMS implementation process & Procedure IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO 27001 Implementation Map Other ISO and International Standards and European Regulations 2
Richard Regalado ISO 27001 Implementation and Metrics Guide Other ISO and International Standards and European Regulations 8
A Process documentation in a ISO 27001:2005 ISMS implementation Document Control Systems, Procedures, Forms and Templates 10
M BS ISO/IEC 17799:2005 and ISO 27001:2005: Any advice on value and implementation? Customer and Company Specific Requirements 4
P ISO 20400:2017 Sustainable Procurement Implementation Sustainability, Green Initiatives and Ecology 0
S Sequence of ISO 9001:2015 Implementation Steps ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
S ISO 9001 implementation in a Gold exporting business ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
C Implementation ISO 9001: 2015 ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
S Practical Implementation of ISO 14971 ISO 14971 - Medical Device Risk Management 6
B ISO 9001 Implementation Time Frame ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
R ISO 13485 QMS Implementation Training ISO 13485:2016 - Medical Device Quality Management Systems 7
R ISO 13485 QMS sequence of implementation ISO 13485:2016 - Medical Device Quality Management Systems 4
M Startup Company - Implementation of ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 19
V ISO 9001:2015 Implementation Packages ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 28
A EMS - ISO 14001:2015 Implementation ISO 14001:2015 Specific Discussions 4
a_bardi ISO 9001:2015 - Implementation in 4 Plants Different Countries ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M Partial Implementation of ISO 9001 in a Company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
A ISO 9001:2015 Implementation for Marketing and Sales Companies ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
gunnyshore ISO 13485:2016 Implementation Plan ISO 13485:2016 - Medical Device Quality Management Systems 5
S ISO 14001:2015 Implementation in my company ISO 14001:2015 Specific Discussions 13
S Informational Risk Management Implementation for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 60
D ISO/IEC 17025 Implementation Workshop Ideas ISO 17025 related Discussions 2
H How to find a good ISO 9001 Implementation Consultant in Calgary, Canada? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
N ISO 20000 Implementation Guide and Compliance Checklist wanted IT (Information Technology) Service Management 2
R General ISO/TS16949:2009 Implementation Primer Needed IATF 16949 - Automotive Quality Systems Standard 2
F ISO 9001 Implementation Advice for Multiple Locations needed! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
A ISO 50001 Implementation Documentation Required Sustainability, Green Initiatives and Ecology 6
M ISO 14971:2012 - Verification of Implementation of Risk Control Measures ISO 14971 - Medical Device Risk Management 12
I Implementation of ISO/TS 22003 Food Safety - ISO 22000, HACCP (21 CFR 120) 3
S Suggest a book that clearly demonstrates ISO 13485 Implementation Book, Video, Blog and Web Site Reviews and Recommendations 1
J ISO 13485 and ISO9001 Quality Management Implementation Start ISO 13485:2016 - Medical Device Quality Management Systems 6
R OHSAS 18001 & ISO 9001 Implementation - help! Process Maps, Process Mapping and Turtle Diagrams 7
D Consultancy company - ISO 9001 Implementation and Design Exclusion ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
S "Answer books" for ISO/TS 16949 Implementation IATF 16949 - Automotive Quality Systems Standard 1
R ISO 9001 Implementation in the Bus/Coach Industry - Confused and Help needed ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
A Exploding the Myths Surrounding ISO 9000: A Practical Implementation Guide Book, Video, Blog and Web Site Reviews and Recommendations 28
Z ISO/IEC 20000 Checklist and/or Implementation Road Map IT (Information Technology) Service Management 11
C Six months data enough for ISO 50001 implementation? Sustainability, Green Initiatives and Ecology 6
Y ISO 31004 - Risk Management Implementation Guidance Risk Management Principles and Generic Guidelines 2
P Is it necessary to consider ISO 22002-1 for the implementation of ISO 22000 Food Safety - ISO 22000, HACCP (21 CFR 120) 3
M Implementation of Quality System in Non TS/ISO company Benchmarking 3
F ISO 9001 QMS Implementation in an Engineer To Order business ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
T ISO 14001 Implementation Help & Question about Supplier Approval ISO 14001:2015 Specific Discussions 5

Similar threads

Top Bottom