Tips for implementation of the ISMS

ISO 27001 is an international standard providing requirement for the implementation of the information security management system (ISMS). Many medical devices are nowadays based on software, dealing with a lot of data and using novel advanced software based technologies like machine learning and artificial intelligence. Having implemented a system for management of information security is of fundamental importance and will definitely help to meet other specific FDA requirements such as compliance with 21 CFR Part 11.

General Structure of ISO 27001

Currently the ISO 27001 has been published in 2013 and it is based on high level structure (HLS), which is common structure of the ISO management system standards, such as ISO 13485. The information security related ISO standard shall be used along with ISO 3100:2018 – Risk Management; in fact the necessity to manage information security risk is essential for the implementation, maintenance and improvement of an ISMS.

ISO 27001 Clause by Clause

An overview of each clause of the standard is documented in the infographic reported below.

ISO 27001

ISO 27001 Certification Process

The certification of a company against ISO 27001 requirements shall be performed by a third party institution, like a notified body for example. Basically after the organization has inplemented and established an Information Security Management System. The certification process consists of two different steps:

  • The Stage 1 audit is a ‘documentation review’ audit, the auditor will review the processes and policies to establish whether they’re in line with the requirements of the standard.
  • The Stage 2 audit is the ‘certification audit’. During a Stage 2 audit, the auditor will conduct a thorough on-site assessment to establish whether the organisation’s ISMS complies with the standard. At this stage, the implementation of the ISMS is carefully evaluated.


The ISMS has a typical structure of any management system, thus if your organization has already, for example, a quality system in place, it will be easier. Many if the concepts such internal audit, management review, risk assessment shall be already familiar if the organization has already a certified management system.

It is important to have an expert on board that guides the organization in the implementation of the ISMS, since it is offend something that cannot be done internal to the organization.

Leave a Reply

Your email address will not be published. Required fields are marked *