The importance of ISO27001 in Occupational Health Software

ISO27001 is an international standard demonstrating a business' commitment to a robust information security management system. Given the sensitive and critical nature of occupational health data, it should be a must-have for any platform that you trust with such an important data asset.

At Orchid Live, almost every procurement process we take part in requires us to have the ISO27001 accreditation, and increasingly, we’re also seeing occupational health providers being asked to evidence that their IT system is ISO27001 accredited when they tender for new client projects. As such, any occupational health provider using software that isn't ISO27001 accredited is putting themselves on the back foot when trying to win new work.

When considering which occupational health software platform to go with, ISO27001 should therefore be a key consideration to ensure that both your internal IT/data protection stakeholders and prospective clients are happy with how you're protecting their data. It will also allow you meet a number of the security requirements that form part of SEQOHS.

So what are some of the protections that come with ISO27001?

ISO27001 is a wide-ranging accreditation - too broad to cover in a simple blog post! But here's a sample of some of the processes / policies we have to maintain:

• Robust organisational controls to make sure that staff are referenced and have clear criminal  background checks

• A strict access policy that means that sensitive information is restricted to staff on a need to know basis

• External penetration testing to ensure that any cyber vulnerabilities are spotted early and remediated

• Disaster recovery and business continuity planning to ensure that clients can quickly regain access to their data in the event of an IT failure

• Change management and extensive testing processes to minimise the risk of degraded system performance following system upgrades

• Comprehensive training program for staff on cyber and data security

• Implementing an organisation wide anti-malware and anti-virus strategy

• Rules governing which software and applications staff can use

• Detailed processes governing how security incidents are managed and reported

  
  

  ISO27001 compliance is managed through frequent senior management reviews, regular internal audits, and annual external audits from UKAS accredited assessors. Here at Orchid Live it's also a core part of our culture - ensuring that information security is integral to everything we do, not just a tick box exercise and second thought.