ISO 27001 is an accreditation awarded by the International Organization for Standardization (ISO) that contains a set of high-level standards for systems and policies to handle information securely.
The cornerstone of ISO 27001 is the assessment and management of risk. We had to design and implement an Information Security Management System (ISMS) containing stringent safeguards to ensure the confidentiality, integrity and availability of every dataset, study, and system we deliver. ISO 27001 provides requirements for the ISMS, outlines a set of policies and best practices, and details the security controls necessary to manage information risks. We tailored and extended these to suit our specific requirements.
The ISMS also defines how people and processes within a business can handle information securely. Four key aspects are crucial to complying with ISO 27001:
- Security – information is proactively protected from external (and internal) threats and is managed at every stage in a way that ensures it is not disclosed
- Privacy – Information is only disclosed to authorised parties and only when appropriate and all conditions attached to it have been met
- Integrity – Information stored and used is accurate and up to date
- Availability – Information is available and accessible when it is needed to help deliver services
Why did we pursue the certification?
We’re committed to protecting our clients’ data and believe that having the highest standards of information security is an essential part of operating a business that our customers can have trust in. To achieve the certification, we became even more process driven and consciously focused on the need for continuous information management and protection. We have used this to great effect in our project management, product development and customer delivery workflows.
The ISO 27001 certification provides a framework and checklist of controls that allow us to maintain a comprehensive and continually improving model for information security management. Our ISMS Committee meets once every three months to review our processes and we undertake an internal audit of our processes every twelve months which helps us to stay on top of our information security.
Our ISMS includes several controls:
- Legal controls such as NDAs, MTAs, DSAs and other contractual agreements
- Organisational controls such as our Access Control and Network Policies
- Physical controls such as building security and alarm systems
- Technical controls such as antivirus software and secure data repositories
- Human Resource controls including thorough training and regular testing
How did we achieve it?
Sonia, our Group Operations Manager, spearheads the design and annual renewal of this accreditation by conducting thorough internal audits of our processes on an annual basis. She is aided greatly by our CTO and Senior Engineer, and supported by the whole PL team who understand the value of strong information protection at every stage of their work. Our internal audits give us an opportunity to review and continuously improve our systems, processes and policies before submitting them for external audit.
Every year an independent certification body (QMS) runs a detailed audit across the whole business to test whether all aspects of our ISMS meet industry best practice and the requirements of the ISO 27001 standard. When this has been demonstrated, they award us the certification.
In October of 2020 we passed our third independent annual renewal audits with no issues raised, an achievement of which we are quietly proud as it demonstrates the importance placed on information security by every member of the PrecisionLife team.
This means our clients and collaborators can have confidence in our processes and data management, enabling us all to focus on generating new insights into complex, chronic diseases
