ISO 27001 Compliance in Life Science

PipeBio is the ISO 27001 certified bioinformatics cloud for antibody drug discovery and screening.

Today we sat down with Reidar Poulsen of ProcessManager and learned about his job as an ISO consultant, what it means for a company to become ISO 27001 compliant and what the certification is all about. Here is the transcript:

Great to have you with us today and thanks very much. Could you start off by telling everyone a little bit about your background and how you got into this field?

Thanks for letting me be here. I have worked as a manager at various levels for many years, and a few years ago I started working with management systems as a consultant for ProcessManager. We work with management systems for, among other things, quality, safety, health, and environment. Management systems for Information Security are also included in the portfolio, where I have prepared a template that meets the requirements of the ISO 27001 standard.

So let’s start with the obvious one. What exactly is ISO 27001?

ISO 27001 is a standard for information management systems. A text that describes several requirements that should be met by an information management system. The ISO abbreviation stands for International Organization for Standardization, which is the largest and most recognized publisher of standard texts. The text can be bought, used, and followed by everyone, but some go a step further and become certified by an external certification agency as PipeBio have done.

People often think as ISO certification as a lot of writing and overhead for an organization. Is that true? Or is it more of a practical thing used in day-to-day operations?

 ISO’s requirements for management systems are common sense put into a system of interdependent processes. Therefore, healthy, and well-run organizations are likely to meet many of the requirements before thinking about ISO certification. If you have not already done so, then in a management system you must describe what you are already doing. That documentation may initially require some work, but in the long run it is to the benefit of the company itself. For example, it is often very valuable when new employees need to be introduced to the processes. Short and concise descriptions should always be the goal.

Often people think that the product or the company is ISO compliant, but that is not really true. What exactly can be ISO certified?
It all depends on the ISO standard in question. ISO 13216 is, for example, a standard for how child seats should be fitted in a car. Therefore, a child seat can be ISO certified. ISO has a series of standards for management systems, including ISO 27001 which sets requirements for information security systems, here it is the organization’s management system that is certified. I once saw a clog for sale that said it was ISO 9001 certified. But that’s a big mistake. ISO9001 is a standard for quality management systems. It is likely that the company that produces the clogs uses a certified management system. Their products cannot be ISO9001 certified only their system. Maybe there is an ISO standard for clogs, in which case it will be the right standard. When it comes to information security, it makes good sense to look at the company as a whole. Information whizzes in and out of systems and apps. If you only looked at a single app or a single system, you only gain knowledge about security in a single short phase of the information’s journey through the company. It may be that security is high right there, but what about before and after?

You must see a lot of companies through your consulting. When are companies most successful with their implementation? What are the things that they do?

Those who get the most out of the implementation are the companies that take ownership in the process. For many companies, certification begins as a requirement for certification from their customers. A good customer may be reason enough to be certified, but it gives much more if you also take ownership of the processes and ensure that it provides value to your own company. The idea behind a management system that follows the ISO standards is that the company must get better and better day by day.

Companies often choose to implement ISO 27001 to differentiate themselves on the market. What exactly does having ISO 27001 certification bring?

As I mentioned before ISO 27001 is common sense put into a system of interdependent processes. Certification therefore means that an external body confirms that the company works sensibly and purposefully with information security. By becoming certified, you have done in advance a lot of research work that your customers otherwise should do themselves.

Traditionally ISO 27001 has targeted physical locations. Do you have any insights into how companies are applying it towards Cloud Software as a Service (SaaS)?

ISO management standards are constantly evolving and coming out in new editions. The standard itself, the ISO27001 text, is quite broad and general, and covers cloud-based software and companies. ISO 27001 requires that you comply with 114 controls described in Annex A (also published as ISO 27002). Some of the controls focus on physical locations. But there is no requirement to implement all controls, only to consider them. A company that provides SaaS can therefore in a number of cases, for reasonable and well-considered reasons, choose not to implement the control. In addition, ISO 27002 is on its way in a new and simplified version that takes greater account of cloud-based companies.

What do you see as the role of ISO 27001 certification in antibody drug development and screening?

The certification can show that e.g. PipeBio has not only developed an efficient and very secure piece of software that can analyze large amounts of data, but is also a partner that takes information security seriously in a holistic perspective. It is not only your customers’ biodata that must not flow openly around the systems, but also other customer data that can reveal research or business secrets as well as sensitive personal data.

And maybe as a plug for Process Manager, could you tell us a bit about your services and how you help companies?

In order for a management system to provide added value for a company, it requires two things. 1. a tool that can describe the interdependent processes in a simple and clear way and 2. that the process description is short and corresponds to the reality in the organization. We have the tool in the form of our cloud-based software, and we have templates for different management standards. We take the two things out to our customers and make a virtue out of getting to know the customer’s everyday life, so that the template can be adapted and provide added value for the customer. I hope PipeBio will experience that added value in the further work with information security.