The client is a small, UK-based part of a large global company, and provides products and services to the NHS and other healthcare clients.
The client deals with a quantity of Patient Identifiable Data in both electronic and paper-based formats, and therefore needs to have assurance that this data is being handled correctly.
The client wanted to gain ISO 27001 certification in order to better demonstrate that they have information security in place, and to assist with the requirements of the NHS Information Governance Toolkit.
ISO 9001 was already in place, but there was recognition that this would soon need updating to comply with the revised standard.
IT and other head office functions are centralised, and are based outside of the UK, leaving the client with little or no control over, for example, the IT processes.
Cambridge Risk Solutions worked closely with the client and their Quality consultant to develop a comprehensive Information Security Management System (ISMS), enabling the client to proceed with certification. The ISMS was documented in such a way that the core documentation could be easily adapted to encompass the quality aspects that would be required for ISO 9001:2015.
Additionally, audit processes were identified which would enable the client to gain certainty from centralised functions that, for example IT, were correctly following their own procedures, thus satisfying risk treatment and control requirements.
We were delighted when the client successfully accredited to ISO 27001; this effectively demonstrates that information security is in place and is maintained. Additionally, this has assisted with the tender process, and will further assist when the client decides to go for a higher rating on the NHS Information Governance Toolkit.
Cambridge Risk Solutions has since further assisted in, for example, providing guidance for the controls that the client needs to seek from suppliers and potential outsource partners. Cambridge Risk Solutions also assisted in refreshing the procedures for ISO 9001 certification, and then for certification to ISO 22301.