Two Birds, One Stone: Here’s How to Address ISO 27001 and 13845 at the Same Time
By Chris Souza | September 19th, 2019
As someone who has been providing IT support to SMBs for nearly 30 years, there’s one topic that seems to come up with my clients over and over (and over) again: Compliance.
We all understand that compliance is important – there’s really nobody on the other side of that issue. But where people start to get frustrated has to do with how unclear compliance requirement can sometimes be. I was having a working lunch with a client of mine in the medical device industry, and he raised that very concern to me over our appetizers:
“Chris, I just don’t understand the difference between ISO 27001 and 13845” he said to me. “I think they’re both trying to do the same thing, just in two different ways? Maybe? Which one do I have to be concerned with? We’re not even in medical device manufacturing, we just handle the service – which one even applies to me?”
It’s an understandable set of questions, even though I could see they were frustrating him a great deal. That’s when the smirk on my face evidently gave away my thoughts on the topic.
“Why are you smiling?” he asked.
“Let me put it to you this way,” I replied. “Why go to all of the trouble of becoming compliant with one or the other when you can nab both at the same time for half the effort?”
To get a better understanding of exactly what I meant by that, there are a few key things you’ll want to keep in mind.
What is ISO 13485?
To put it in the simplest possible terms, ISO 13485 outlines the quality management system requirements for not only medical devices, but also all related services. It’s a way for organizations to demonstrate their own ability to provide these devices in a consistent way that both meets customer needs, as well as any and all applicable regulatory requirements, too.
It’s important to note that the types of organizations that must adhere to these requirements can be present across all stages of the development lifecycle, including but not limited to design, development, production, storage, distribution, installation and even servicing.
All of this has become critical over the last few years in particular, as the term “medical devices” itself is becoming broader all the time. Not only are you now talking about physical, standalone assets, but ISO 13485 seeks to act as a type of quality control measure for ANY Internet of Things-powered devices, too. This can include software-controlled hardware like CT scanners and even MRI machines.
What are the ISO Requirements?
As stated, the major requirement of ISO 13485 involves the presence of a Quality Management System, otherwise known as a QMS. This is a formalized system that helps organizations better document processes, procedures and responsibilities, all of which are directly related to achieving quality policies and objectives during their role in the lifecycle of a piece of hardware.
Interestingly, ISO 13485 does not actually outline any formal requirements for what shape that Quality Management System must take – only that one be present. This is one of the major areas where it differs from ISO 27001.
The major benefit of compliance in this case comes by way of the advantages generated by the Quality Management System itself. Not only is a QMS a great way to improve the efficiency of processes across the board, but it’s also a perfect opportunity to reduce waste (and ultimately lower costs). A QMS also helps to identify and create new training opportunities, thus creating a more engaged workforce, too.
Why Does ISO 13485 Exist?
Part of the reason why ISO 13485 came into being has to do with the increased volatility of the cyber landscape as it exists today. Not only are security breaches expected to cost healthcare organizations an amazing $6 trillion by as soon as 2020, but about 89% of all healthcare organizations have ALREADY experienced a data breach which at some point within the next two years will arise.
In an effort to make sure that private and confidential patient and consumer information actually stays that way, a more thorough look at the processes of creating and securing these devices is needed – which is a large part of what ISO 13485 helps to do. In addition to guaranteeing the safety of consumers and patients, for many organizations it’s also a viable way to accommodate to changing compliance and regulatory requirements as well.
The Art of Risk Management and Risk-Based Decision Processes
If you want to make the most informed decisions possible and mitigate risk whenever and wherever you can, you need to make sure you have the most complete, accurate and actionable information to work from. In a larger sense, this is where ISO 13485 and ISO 27001 intersect.
Both are about verifying controls that are in place within an organization, giving people more visibility than ever before into the production and long-term care of these devices. Armed with that data, managing risk and making informed, risk-based decisions becomes easier. An increased alignment with regulatory documentation, along with compliant handling and regulatory reporting, also help businesses to adhere to ever-changing regulatory requirements in a far more proactive way.
But the larger area where ISO 13485 and ISO 27001 are similar has to do with how they hold accountable those organizations that intersect with medical device manufacturers around the world. Consider that both aim to create:
- A far more robust, verified planning and validation transfer AND records maintenance with regards to the design and development activities that all parties are engaged in. This, of course, creates a
- Harmonization of validation requirements for different software applications, thus bringing about a larger degree of security moving forward. This can include not only the aforementioned QMS, but also factors like process controls, monitoring and measurement.
The major area where ISO 13485 and ISO 27001 differ is, ironically, on the subject of just HOW all of this is supposed to happen. ISO 13485 doesn’t define exactly what shape a QMS should take, as stated. It also doesn’t require certification of any kind, where ISO 27001 does. However, while ISO 13485 is somewhat frustratingly vague… it also alludes to most (if not all) of the controls that already exist within ISO 27001. Which, if you’re trying to maintain compliance with both of these concepts at the same time, is one of the most important gifts you’ve ever been handed.
Killing Two Birds With One (Compliance-Shaped) Stone
All of this is to say that your organization could spend a lot of time, money and energy on trying to properly bring yourself up to speed with ISO 13485… or you could just focus all of your attention on ISO 27001. Because the open secret here is that by becoming compliance with ISO 27001, you are ALREADY essentially compliant with ISO 13485.Truly, it doesn’t get much more straightforward than that. Both of these things remain hugely important, as together they help to guarantee a robust and comprehensive security strategy and posture for your business. But even more than that, they go a long way towards helping you to effectively address the increasingly volatile cyber landscape that we’re all now a part of… and that point in particular is only going to get more important as time goes on.
Chris Souza is the CEO of Technical Support International, a compliance minded IT support company based out of Foxboro, Massachusetts.
It's Your Move!
For those organizations that DO need to take a more proactive approach to data security, and who are constantly dealing with a series of increasingly important compliance requests, an MSSP can absolutely help usher in the holistic, organic approach to security-related issues that SMBs need to put their best foot forward at all times.