Posted on

Integrating ISO27001 and ISO13485

Information Security and Quality Management Systems (ISO 27001 and ISO 13485) : How can they be integrated? 

By Fiona Beardwell, Regulatory Specialist and Linda Garrod, QMS specialist

ISO 27001 details the requirements for establishing, implementing and maintaining an information security management system (ISMS) for managing and protecting company information including personally identifiable information. Those medical device companies seeking to work with government organisations, like the NHS, quickly discover the expectation for some form of Information Management and Cyber security system. ISO 27001 certification is one way to fulfil these expectations, and the principles covered by ISO 27001 are closely aligned with the NHS digital toolkit/data security requirements. 

As many medical devices now include a software element or are software-only devices (known as SaMD – software as a medical device), information security has become increasingly important to manufacturers. Furthermore, tightened privacy laws across the globe place additional responsibilities on manufacturers to protect patient data and prevent cyber-attacks which could result in patient harm. Rather than having separate and disjointed management systems for information security (ISO 27001) and Quality Management System for medical devices (ISO 13485), having one holistic system established within the organisation, ideally during the Design and Development, will support creation of safe and secure medical devices and supporting systems. Both standards apply a risk based approach to the Management System.

ISO 13485 applies risk in the context of risk to safety and performance of the medical device. For ISO 27001, risk and opportunities are key inputs into the planning of the Management system from a prospective of achieving ISMS intended outcomes, reducing undesired effects and aiding determination of the Annex A controls to be applied. Therefore, I would recommend approaching information security risks and medical device risk management separately. Where the information security risks relate to an SaMD or onboard software of a physical medical device, relevant elements of the information security risks shall become an input to the ISO 14971 risk assessment process. ISO 27001 and ISO 13485 apply the same core management system principles of Plan, Do, Check, Act and following this approach aids designing standardised approaches to processes.. 

So, for those looking to start your ISMS & QMS journey, the first key steps falls within the Plan phase, where you;

• Identify all the applicable industry standards and regulatory requirements relevant to your device, systems and the information involved.

• Identify your interested parties including patients, users, customers, suppliers and regulators and their requirements/expectations. 

• Identifying your existing business systems, resources, organisational competencies and infrastructure needs 

Pulling all these elements together and identifying any conflicting requirements allows you to devise a clear plan for creation of your managements system, as well as your quality and information security objectives, which will drive your future activities. Commented [LG1]: Might be worth including global privacy laws as another reason for info security and an increase in cyber attacks

The ‘Do’ phase can be the longest and most intense part of any management system implementation as you create meaningful policies and procedures, designed with the user in mind, guiding your team through the processes needed to consistently generate the desired output, support production of safe devices, securely manage data and utilise a risk based approach to all activities. While it may be optimal to create a holistic management system from the start that doesn’t mean, if you already have an established ISO 13485 QMS, that incorporating the requirements of ISO 27001 is impossible. In fact in many areas the requirements can be built into your existing ISO 13485 procedures and simply complemented with additional policies and procedures where appropriate. 

Where your management system contains requirements from multiple sources, your ISO 13485 mandated Quality Manual is an excellent place to explain the applicable regulations and the interactions of the processes. I would recommend providing an overview in the opening sections of the manual, including where possible a visual depiction of the interacting QMS and ISMS processes, and then providing additional detail on the specifics of the Information Security Management System at the end of the manual. This structure will help to provide top level clarity of the interacting processes with easy access to further information where required. This can be particularly useful in certification audits to easily explain the elements relevant to each standard. The ‘Check’ and ‘Act’ phases of both standards ensure security of processes and data, safety of devices and continual improvement of the management system. Internal audits are a feature of both standards and allow for reflection on the processes implemented and potential opportunities to improve. A good management system is never done; it should always grow and adapt as the risks and requirements within the field in which it operates evolve. Elements such as change control, management review, nonconformity and corrective action can drive continual improvement, which is crucial to all Management Systems.

ISO 27001 confers a number of benefits to your organisation:

1) Compliance – provides a framework to comply with regulations regarding data protection, privacy and IT governance and contractual obligations. 

2) Gives you a marketing edge to differentiate your company from competitors. 

3) Reduces expenses cause by incidents. Preventing incidents in the first place saves money in the long run. 

4) Strengthens your organisation by defining responsibilities and processes. 

So If you need any help with integrating ISO 27001 into your company, or even want to begin implementing your QMS as a starting point, then please contact us here and Casey will point you in the right direction