News & Commentary on ISO Management System Standards

    Why ISO 13485 Certified Companies are adding ISO 27001


    Patient data security concerns have led to a big increase in a number of Medical Device manufacturers adding ISO 27001 to their certification

    Patient Safety Risk Assessment has shown manufacturers that there are significant risks not being controlled that an ISO 27001-compliant information security management system (ISMS) can resolve.


    Reasons Why Manufacturing Companies are Adopting ISO 27001

    There are three primary reasons... 

    1.  To manage and provide objective evidence of compliant handling of Personal Data

    Manufacturers are being asked to demonstrate compliance with a wide variety of regulatory and sector-based requirements regarding patient data security.  The list includes...

    • EU GDPR
    • UK GDPR
    • UK DPA 2018
    • UK PECR (Privacy and Electronic Communications Regulations)
    • CPPA (California)
    • CPRA (California) 
    • UK NHS Digital Technology Assessment Criteria (DTAC)
    • SOC 2 compliance
    • ISO 27701
    • ISO 27018
    • ISO 27799
    • US Health Insurance Portability and Accountability Act (HIPAA)
    • And so on.

    Demonstrating compliance on an individual basis would be a nightmarish task, far better to address all information security within the scope of an ISMS with certification to ISO 27001. The independent annual audits will provide ongoing evidence of compliance with all applicable requirements.

    An added bonus: you limit the number of external audits that need to be conducted.

    New call-to-action


    2. To protect the information assets of cloud-based apps

    These can be apps as stand-alone software or apps that are saving and/or communicating data to a smartphone, smartwatch or similar device. Questions such as whether end-tp-end encryption of transmitted data is provided frequently arise.  And the obvious answer is ISO 27001 implementation where independent auditing confirms that regulatory and contractual requirements are being met on an ongoing basis.

    3. To reassure stakeholders that information security is taken seriously.

    Stakeholders including major customers, hospitals, health services and others have a concern regarding cybersecurity. And this in addition to concern about protecting personal information and customer/supplier intellectual property.  There are two concerns here...

    1. Is cybersecurity sufficiently robust so as to minimize the chances of a ransom attack leading to interruption to the provision of products and/or services (e.g. maintenance of medical devices)?
    2. Is cybersecurity sufficiently robust so as to prevent a successful attack on the stakeholders' computer network arising from a breach of your cybersecurity?

    In both cases ISO 27001 certification can provide the reassurance that's needed.

    Without ISO 27001 Certification, 'you're not at the races'!

    Start-up and early-stage medical device manufacturers are now regularly reporting that they can't get buy-in from stakeholders without bringing both ISO 13485 and ISO 27001 Certification to the table. Participation in research projects, trials, and initial orders is proving nearly impossible without them.

    And ISO 27001 training is just a click away... Check out our list of available ISO 27001 courses to see which is the best option for you. Just click on any course on the image map to go to their individual product pages.


    Available ISO 27001 Training Courses Image Map


    Related Articles


    deGRANDSON Global is an ISO Certified Educational Organization

    InISO Compound Logo-4  October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts