There have always been many doubts and misunderstandings about ISO certifications. In the last years we often get asked questions about ISO 27001 like:
Do I really need it? When is it necessary? Does it count as a GDPR certificate?
The answer, as with many things in business, is not straightforward. It depends on your company's specific needs, goals, and the type of business you operate.
In this blog post, we’ll explore whether this certification is a must-have for your digital health business or whether your resources are better spent elsewhere.
Understanding ISO 27001: What’s it all about? 🛡️
What is ISO 27001? 📜
ISO 27001 is an international standard focused on information security management. It sets out the criteria for creating, implementing, and maintaining an Information Security Management System (ISMS). In simpler terms, it’s a structured approach to managing sensitive company information so that it remains secure. This includes everything from handling employee data to protecting customer information.
Why is ISO 27001 important in digital health? 🏥
In digital health, safeguarding patient data is more than just good practice—it's a real necessity. Patient information is sensitive and highly regulated, making data breaches a significant concern (Did you hear about the recent SynLab case? Over 1.5T of lab analysis data stolen 😱).
The ISO 27001 certificate helps organisations manage these risks by providing a framework for securing data. However, the importance of this certification can vary greatly depending on your business model.
B2B companies: Big benefits, but not a magic bullet 🎯
Why B2B companies should consider ISO 27001 🏢
If your company provides software as a service (SaaS) to hospitals or other healthcare providers, ISO 27001 can be a valuable asset. For B2B companies, this certification can significantly streamline the due diligence process. Hospitals often require their vendors to demonstrate high data security, and having ISO 27001 can quickly tick that box ✅.
It reassures clients that you take data protection seriously and have implemented robust security measures.
The limits of ISO 27001 for B2B companies ⚠️
However, it’s important to note that ISO 27001 won’t eliminate all the hoops you need to jump through. Data Protection Officers (DPOs) at hospitals will still have GDPR-related questions that aren’t directly addressed by ISO 27001. These questions often focus on where the data is stored, how it's processed, and whether the legal bases for processing are sound. In many cases, these concerns are handled by separate departments within a hospital. So, while ISO 27001 is helpful, it’s not a cure-all for regulatory compliance in the B2B space.
DTx Companies: A Necessary Step for Success 🚀
The role of ISO 27001 in DTx companies 📈
For Digital Therapeutics (DTx) companies, especially those involved in Germany’s DiGA scheme, ISO 27001 isn’t just a nice-to-have—it’s essential. To get your product listed as a DiGA, you must meet a variety of regulatory requirements, and ISO 27001 is often one of them. While this certification may not directly influence your sales, it is a gatekeeper for market entry. Without it, you might find it impossible to get your product approved and listed in the first place.
That said, ISO 27001 won’t necessarily help you sell more units. Its primary value in the DTx space is as a compliance tool. It ensures that your company is adhering to the necessary security standards, but it won’t make your product more attractive to end-users. This certification is more about meeting regulatory requirements than boosting your bottom line.
If you have a DTx, make sure to read our full guide on reimbursement schemes in the EU, UK and the US!
B2C Companies: Minimal benefits for maximum effort? 🤷
Why B2C companies might skip ISO 27001 🚫
If you’re operating a B2C company, such as a healthcare provider or an app offering self-paid services, the benefits of ISO 27001 are less clear-cut. While it can help you manage and mitigate risks within your company, it doesn’t address the legal risks you’ll actually face. For instance, GDPR compliance is crucial in the B2C sector. Questions like where your data is stored, what contracts you have with providers, and the legal basis for your data processing operations are all central to GDPR compliance—but they’re not necessarily covered by ISO 27001.
Will ISO 27001 open more Doors for B2C companies? 🚪
In most cases, the answer is no. Unless your business is aiming to participate in public tenders or secure B2B opportunities, ISO 27001 is unlikely to open significant new doors for you. There’s no legal requirement to be ISO 27001 compliant, but you are legally obligated to comply with GDPR. If your main concern is adhering to the law and protecting your customers’ data, focusing on GDPR compliance might be a better use of your resources.
Making the right decision: when to get ISO 27001 🕒
So, should you get an ISO 27001 certificate? The answer is probably yes—eventually. For some companies, especially those in the B2B or DTx sectors, it’s a valuable investment that can pay off in terms of compliance and client trust. However, if you’re a B2C company or just starting out, it might make sense to save your money and focus on other priorities first.
When we work with companies, we strive to develop a data privacy and protection plan that makes sense for their specific roadmap and resources. It’s frustrating to see businesses spend thousands of euros on an ISO 27001 certificate that no one actually requested, especially when they still have gaps in their GDPR compliance. By making a strategic decision about when to pursue ISO 27001 certification, you can ensure that you’re investing your resources wisely.
Need help figuring it out? We’re here to help! 🙋
Chino.io is the one-stop shop for solving all privacy and security compliance aspects.
As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.
Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.
To learn more, book a call with our experts.