On February 1, 2024 SoftComply held a webinar on Data Privacy and Security where Ocumetra shared their experience on preparing for and attaining the ISO 27001 certificate. Following is a summary of questions asked and answers provided – full case study can be viewed also in the YouTube video.
Ocumetra is an Irish company that helps patients (children in particular) in myopia management. Their product is a Clinical Decision Support Software.
So, obviously we needed to ask this question first:
Q: Why did you implement an Information Security Standard (ISO 27001) when this one is, in fact, voluntary?
Toma Pervan (TP), MSc in Medical Device Regulatory Affairs, RA / MA Officer at Ocumetra:
“ We are a completely paperless, completely on Cloud business. So, to protect ourselves, to protect the users of our tools and to protect our clients, we decided to pursue ISO 27001 certificate.
It helps us to maintain a framework and a document management system that guides us to be compliant and safe.
And the second reason is – one thing that I learned from a business school – a business of a business IS business. If it does not make business sense, why do it at all?
For us it made sense, because it was a selling point. It allows us to sign bigger and more lucrative contracts and be available on different markets. ”
Q: How long did it take for your company to get certified and what were the biggest challenges for you?
TP: “It took about 6-7 months from the get-go. There is a lot of back and forth in the beginning to truly understand the requirements. We also engaged with a consultant early on, in hope that this will speed up the implementation and that we do not miss anything important.
In a retrospect that was a bit of wasted effort, as we learned that we could outsource an experienced internal auditor instead, that provided us with actionable insights on how to best prepare for the external audit.
Also, we discovered that some of the tools that we started to use, provided very good insights on how to implement the requirements. For example, SoftComply Risk Manager Plus comes with pre-filled Controls and a checklist for monitoring the progress of implementation.
But as always, if you are starting off with something new, it is great to lean on expertise. Now, that we are certified, I can recommend that there are many insightful resources available online that one could familiarise themselves with before committing to high-rating consultants. Starting from LinkedIn InfoSec specialists that freely share their knowledge and of course Reddit and Advisera providing in-depth discussions on this topic.”
Q: You mentioned the high rates of consultants but what about the certification process itself – what are the costs of getting certified?
TP: “Yes, there are fees for Notified Body and for the external audit. Also, as I said before, there is a true value in having an external consultant for an internal audit, as well. Especially, if you are a smaller company like us, this will provide you with a fresh perspective – auditing your own job can be very tricky and prone to personal bias – you are simply too close to your systems and operations.
The first year is the most expensive in that terms, the cost of the standards, education and training, the tools you wish to use, the IS Officer compensation. Even if an IS Officer is someone internally with many other “hats” or roles within your organisation, it makes sense to compensate this person for an additional responsibility.
Now, that we are on our 3rd year of running the ISMS, the cost is approximately 7k euros per year, including the internal-external audits and the fees for the Notified Body.”
Q: Do you also have a recommendation when to start working on Information Security?
TP: “We adopted ISMS very early on in the product lifecycle and we find it beneficial for us. As we have been working on more than just one product over the last years, the new products immediately were included to an existing framework.
One thing that anyone starting this journey, needs to remember, is that this is not a static state – being certified. This is an ongoing process of improvements. Your ISMS will grow with you and not every issue can be foreseen.
A general advice is that, as a beginner, you really should not stress too much, the auditors we have worked with are very supportive and they are not there to catch you out. Rather, they will help you to learn and improve.
All in all, it is not really that important when you start. You will start when you have the need to demonstrate being a trustworthy partner and vendor.
But, if you still need to “sell” the idea of implementing Information Security standard within your company, think in terms of increased credibility in the eyes of the customers and partners, attractiveness to investors and better access to contracts and markets.”