ISO/IEC 27001 for Healthcare

Few organisations handle more sensitive and personal data than healthcare providers. Ensuring data is safe, secure and accessible is critical.

Why ISO/IEC 27001 for healthcare?  

An organisation stores information digitally, on paper and as employee knowledge. Secure information is an important factor when it comes to patient safety in healthcare institutions. Patient journals and data such as laboratory reports are sensitive and should only be accessed and used by those with correct authorization. Also, timely access to updated information is crucial for medical personnel in order to maintain safety and ensure correct medical treatment based on correct data. Failing to provide necessary patient or medical information can, in worst case, result in lives lost. IT systems are necessary to store and access patient data, as well as conduct medical research. An efficient management system will help you to ensure both data and patient safety. 

ISO/IEC 27001 is an internationally acknowledged management system standard for information security. By implementing an information security management system compliant with ISO/IEC 27001 you ensure that your organisation identifies and mitigates the risks related to handling sensitive and vital data. A certified management system is compliant with applicable national legislation and international best practice. Certification assures patients, authorities and other stakeholders that you are handling all relevant information security aspects. 

How ISO/IEC 27001 certification supports your organisation 

A certified information security management system demonstrates commitment to the protection of information and provides confidence that assets are suitably protected – whether held on paper, digitally, or as employee knowledge. Such systems take a systematic approach to minimizing risk and ensure compliance with legal and other requirements. More specifically, it helps you to:

  • Control, manage and correctly handle the information that your organisation possesses.
  • Take an active approach to data management and to securing vital information.
  • Identify and mitigate risk related to handling of information.
  • Comply with relevant national and international legislation.
  • Ensure continuity of operations in case of information security incidents.
  • Provide assurance to patients, authorities and other stakeholders that sensitive information is safe.​

How do I get started? 

  • Get familiarized with the ISO/IEC 27001 standard. Training programs are available, and the standard can be acquired on iso.org.
  • Identify all applicable legal requirements that you must comply with.
  • Get an overview of the information assets in your organisation.
  • Make a risk assessment to identify and understand the risks to your organisation’s data. Third party pre-assessments may prove valuable in an early phase of the implementation.
  • Prioritize the risks and choose actions to be implemented to mitigate risk and ensure an acceptable risk level.
  • Ensure top management commitment. Effective implementation of a management system requires commitment from top level through to the entire organisation.
  • Engage an accredited certification body, such as DNV - Business Assurance, to get started with the certification process.

Certification and continuous improvement of your management system is a journey. As your third party certification body, DNV - Business Assurance will perform yearly audits and re-certification every third year. Additionally you will need to conduct internal audits and management reviews in order to develop the management system in line with a changing risk landscape.

More information

Accredited hospitals

List of hospitals accredited to the international standard by DNV GL Healthcare