2. The ISO 27001 standard incorporates 114 controls. How do you prepare for a transition to make your management system compliant to such a high standard? 

First thing we decided to do was to send our staff for external training to ensure we could consider ourselves as qualified to do it in the first place. Since we were already certified against ISO13485, a significant amount of the general management requirements was already fulfilled – which gave us a head start. 

Next item our list was a risk assessment versus the 114 individual controls. Once again, we could rely on our familiarity with risk assessments, which is common practice in our industry. This exercise generated over 200 risks, which were collected in risk treatment plan, addressing the most critical ones first. Once we had our risk treatment plan, we could allocate the task to the individual responsible and work down the list. Throughout this exercise, training is being provided to the entire staff, so everyone is aware of their responsibilities and capable to perform them.

Now we are finalizing the actions in our plan, but every year we will be reviewing our risk assessment to see if we can further improve our situation or if we need to protect ourselves against new upcoming threats. The same as with any standard, it is a continuous effort.

3. Qarad already had an ISO13485:2016 certificate . What is the difference between both?

One is a Quality Management System (ISO13485), while the other is an Information Security Management System (ISO27001). So both are management systems, which is visible in the overlap when talking about the management control on the company overall, but the specific points of interest are quite different: QMS vs ISMS. Regardless, we have seen that they complement each other quite nicely and strengthen the other.

4. What were the main challenges?

The biggest challenge for us was to bring the right people to the table for the right subjects. One must consider that you need expertise on various topics:

  • Regulatory compliance
  • Technical skills
  • Management/organization knowledge
  • ...

For most of the 114 controls, you need to be able to combine the input from these parties in a single vision, which was a daunting task.

5. How long did it take to comply to the ISO27001 standard?

For our team, it took us about a year to get ready for the standard – Considering that all of us had a dedicated function in other services of the company which could not be neglected. As such, availability of the individual fluctuated throughout the project. Maybe we could have shortened the timeframe, but it also helped us digest the implementation better.

6. What are the advantages of implementing ISO27001?

The advantages tie in very closely to the reasons why we have decided to go for certification in the first place. We now have a tight control on our information, which can be customer, supplier, company or consumer related. This control covers all aspects of the golden triangle Confidentiality – Availability – Integrity.

Furthermore, it also helps us to demonstrate compliance to other legislations on topics like protection of personal data and transfer thereof. The same goes for requirements imposed on us by our customers. Naturally, from a marketing perspective, we’ll not be shy of putting the certification to use as well.

Particularly to Qarad: as we are a rapidly growing company, it also gave us more control on our activities which helps to cultivate those further. We also expect that this will allow us to spend our time more efficiently and reduce the time spent on overhead or incidents.

7. Are IT security and information security one and the same thing?

Not really, IT security covers what I like to call “the technical stuff” like firewalls, backups, anti virus, etc. Information security takes it a step further and considers security threats from other origins like the organisation itself. Examples of this include definition of security roles and responsibilities, operating procedures, training and awareness, legal relations with employees and suppliers, physical security, etc.

You need proper IT Services to have an effective ISMS, but most risks cannot be controlled by technical measures alone. That is where the 114 controls come into play again. I said it before about the QMS and ISMS and the same applies over here: one strengthens the other.


ISO Certified
ISO 13485 and ISO 27001


Website by Contents by Qarad Terms and conditions  Privacy policy  Cookie policy 


This website uses cookies to enhance your surfing experience.
Certain webfunctions rely on the usage of these cookies.
If you want more information regarding our cookie policy, you may visit this link.