How ISO 27001 certification ensures data integrity

Prioritizing the protection of valuable information keeps patients and customers safe

In the past 10 years, medical and healthcare organizations in the US were consistently in the top 5 of industries impacted by data breaches, according to data collected by Statista. This could not only lead to financial and reputational consequences, but also jeopardize product quality and patient safety. Since the information is sensitive (e.g., patient data, intellectual property, etc.), industry compliance standards have been developed to increase the safety of data.

Data integrity issues can happen from outside, but not only. Employees within the organization handle sensitive data in their daily business. Bias, failure to consider all data, false assumptions or insufficient awareness can lead to data integrity issues. Even if they might have happened accidentally, they put patients, consumers and users’ health and safety at risk. It is therefore crucial to ensure adequate controls to protect the organization’s assets from threats and prevent vulnerabilities.

Data Security is certainly one dimension to ensure data integrity and protection. Information security management systems could be a tool to keep multiple aspects in focus with the overarching goal to stay compliant and assure patient safety.

Data Integrity throughout the data lifecycle

Regulatory authorities have been focusing on data integrity for several years now. Data integrity provides characteristics to build and preserve confidence in the reliability of the data throughout the entire data lifecycle. The lifecycle spans from creation to processing, usage, transfer, storage until destruction of the data. During its lifecycle, data should not be altered in an unauthorized manner.

The principles around data integrity are summarized in the ALCOA concept, which describes the basic qualities as attributable, legible, contemporaneous, original, and accurate. The concept has been extended to the characteristics complete, consistent, enduring, and available (ALCOA+).

The U.S. FDA (Food and Drug Administration) as well as the EMA (European Medicines Agency) have been citing data integrity in their guidance documents as well, adding data integrity as part of their requirements:

FDA: “[…] data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).”

EMA: “Data Integrity: […] There should be assurance that product lifecycle data relating to GMP (Good Manufacturing Practice) activities, including relevant Marketing Authorization variations, are reliable, complete, and accurate. The Marketing Authorization Holder should also ensure the long-term security and archiving of the data upon which the Marketing Authorization relies.”

What concepts and processes are promoted by ISO 27001 and ISO 27002

In the past, two international groups developed principles to keep information assets secure: the International Organization for Standardization (ISO) together with the International Electrotechnical Commission (IEC) have published the ISO/ICE 27001 standard which is derived from the BS 7799 standard, publicized by the British Standards Institution Group.

The ISO/ICE 270001 was originally published as an international norm in 2005. Revisions were made in 2013 and recently in 2022.

The main aspect of these best practices is to provide requirements for an information security management system. It enables organizations of any kind to manage the security of assets such as intellectual property, patient data, product information or information entrusted by third parties, e.g., CROs (contract research organizations).

• ISO 27001

ISO 27001 contains requirements for setting up an information security management system (ISMS). It consists of policies and procedures that help safeguard data by implementing a range of security controls, such as:

Clauses 0-3: Introduction. Contains sections about introduction, scope, normative references, terms, and definitions.

Clauses 4-10: Mandatory requirements to be compliant with ISO 27001 standard.

Whereas ISO 27001 provides only a brief description for each control, ISO 27002 provides detailed guidance. However, certification is possible only for ISO 27001. ISO 27002 is a supporting standard containing guidance and not requirements.

• ISO 27002

Within ISO 27002, detailed best practices for outlining the organization’s information security management system are described. Their goal is to preserve confidentiality, maintain data integrity and ensure data availability to authorized users. The ISO 27002 can be structured into 3 layers:

First layer: the organizations physical environment, e.g., data storage, access infrastructure

Second layer: human resource security, e.g., training of employees

Third layer: control practices, e.g., network design, access, user practices regarding data

For the implementation of an information security management system as per ISO standard, the involvement of management, training, awareness of employees as well as appropriate documentation is vital. Furthermore, security and policy objectives need to be defined, which would entail risk assessments, risk treatment plans as well as regular review and monitoring activities to maintain and improve the system. Different control strategies are given, improving the security of information and data handled in the organization, e.g., cryptography, compliance, asset management, supplier relationship and many more.

How does ISO 27001 ensure Data Integrity?

Implementing an information security management system compliant to the ISO standard means an advanced security policy is developed within the organization. This policy outlines aspects regarding hardware, software, human behavior, and procedures that prevent data loss and strengthen data integrity.

Through the controls described in ISO 27001, three main characteristics of data respectively information are being protected:

• Data confidentiality
• Data integrity
• Data availability

The principle of data availability, meaning that data must be accessible to authorized persons whenever it is needed over the life of the data, is also referred to within the ALCOA+ concept. Confidentiality of data represents the concept that access to these data is limited to authorized persons with respective rights. By implementing an information security management system, organizations demonstrate reliability and awareness towards the integrity of their sensitive data. Because ISO 27001 compiles a range of security controls, information is protected in an environment that mitigates the risks regarding threats and vulnerabilities from potential attacks.

Conclusion: Four good reasons to implement ISO 27001 in your Life Science Organization

• The ISO 27001 certification is an independent assurance of internal controls within the organization. It is a demonstration that information security is taken seriously. It enforces values like trust and reliability towards customers, business partners and regulatory authorities.
• The ISO 27001 certification is a verification of information security processes, procedures, and documentation. It concerns both paper based and electronic information.
• The ISO 27001 certification strengthens the protection of assets and information, for example patient and product data from harm (e.g., cybercriminal attacks) by following the provided guidelines and best practices.

The ISO 27001 standard would contribute to improving the quality processes of an organization regarding data protection and security. By adopting the ISO 27001 and following its requirements, organizations will gain expertise and are better positioned in terms of information security.

If you are interested and want to find out more, please contact us.