Feedback on obtaining ISO27001 and HDS certifications

In September 2022 we informed you that Aqua Ray had been certified as compliant with the requirements of the ISO27001 and HDS (Health Data Hosting) security standards. For this article, Aqua Ray's CISO* Loïc Quentin, answered a few questions to go over the steps that were necessary to obtain these certifications.

In September 2022 we informed you that Aqua Ray had been certified as compliant with the requirements of the ISO27001 and HDS (Health Data Hosting) security standards. For this article, Aqua Ray's CISO* Loïc Quentin, answered a few questions to go over the steps that were necessary to obtain these certifications.

*RSSI (Information Systems Security Manager): the expert who guarantees the security of the information system. He/she develops, implements and monitors the application of a company's information security policies.

*RSSI (Information Systems Security Manager): the expert who guarantees the security of the information system. He/she develops, implements and monitors the application of a company's information security policies.

« The objective with these certifications was to be able to guarantee our customers a responsible and secure treatment of their data from a common reference base: the ISO27001 standard. »

« The objective with these certifications was to be able to guarantee our customers a responsible and secure treatment of their data from a common reference base: the ISO27001 standard. »

« It is a list of requirements associated with a standard. The ISO27001 and HDS standards concern the ISMS*. HDS is based on ISO27001 and adds some additional requirements specific to health data. »

« It is a list of requirements associated with a standard. The ISO27001 and HDS standards concern the ISMS*. HDS is based on ISO27001 and adds some additional requirements specific to health data. »

*The ISMS (Information Security Management System) is the set of technical and organizational means implemented to guarantee the availability, integrity and confidentiality of data processed by the company. This includes both security policies and the equipment used, for example.

*The ISMS (Information Security Management System) is the set of technical and organizational means implemented to guarantee the availability, integrity and confidentiality of data processed by the company. This includes both security policies and the equipment used, for example.

The ISO27001 and HDS standards aim to ensure that the measures implemented comply with a spectrum of requirements that are recognized as sufficient worldwide to guarantee that data is handled correctly.

The ISO27001 and HDS standards aim to ensure that the measures implemented comply with a spectrum of requirements that are recognized as sufficient worldwide to guarantee that data is handled correctly.

The HDS standard is available on the ANS website (Digital Health Agency). However, the complete content of the ISO27001 standard is not publicly available (the 2013 version will be replaced by the 2022 version published last october).

The HDS standard is available on the ANS website (Digital Health Agency). However, the complete content of the ISO27001 standard is not publicly available (the 2013 version will be replaced by the 2022 version published last october).

« Once the repositories were identified, we began by taking stock of Aqua Ray :

« Once the repositories were identified, we began by taking stock of Aqua Ray :

This state of the situation is established by conducting an audit with a specialized consultant who advises us on how to implement the various requirements.
Once the assessment is complete, the longest part of the job begins: upgrading the ISMS to meet all the requirements of ISO27001 and HDS. »

This state of the situation is established by conducting an audit with a specialized consultant who advises us on how to implement the various requirements.
Once the assessment is complete, the longest part of the job begins: upgrading the ISMS to meet all the requirements of ISO27001 and HDS. »

« For months, with the help of our consultant, we dealt with all the points of non-conformity identified, formalizing our working methods with clear security policies and implementation procedures. Sometimes it was necessary to change our habits, but on the whole, it was a matter of formalizing good practices already applied.

« For months, with the help of our consultant, we dealt with all the points of non-conformity identified, formalizing our working methods with clear security policies and implementation procedures. Sometimes it was necessary to change our habits, but on the whole, it was a matter of formalizing good practices already applied.

Everything is reviewed: from physical access control policy to equipment disposal procedures, from managing the arrival of new employees to the policy for communicating information to customers.

Everything is reviewed: from physical access control policy to equipment disposal procedures, from managing the arrival of new employees to the policy for communicating information to customers.

The whole life of the company is involved, and all employees are stakeholders in the project. At the same time, we trained Aqua Ray staff in Information Security and I was appointed as the CISO to lead the project. »

The whole life of the company is involved, and all employees are stakeholders in the project. At the same time, we trained Aqua Ray staff in Information Security and I was appointed as the CISO to lead the project. »

« Once we felt ready, we planned another internal audit with our consultant. This one is conducted like a certification audit, meaning the auditor stands outside the ISMS and interviews us in an unbiased manner.
We conducted this audit in early 2022. At the end of the audit, we identified some residual non-conformities that we thought we could address before the summer.
So we contacted AFNOR (the reference organization for ISO27001 and HDS certification) and agreed on a date in the summer of 2022. »

« Once we felt ready, we planned another internal audit with our consultant. This one is conducted like a certification audit, meaning the auditor stands outside the ISMS and interviews us in an unbiased manner.
We conducted this audit in early 2022. At the end of the audit, we identified some residual non-conformities that we thought we could address before the summer.
So we contacted AFNOR (the reference organization for ISO27001 and HDS certification) and agreed on a date in the summer of 2022. »

« The final audit was divided into 2 parts:

« The final audit was divided into 2 parts:

Despite some minor non-conformities to be corrected before the renewal audit. The auditor noted several strong points, which supported the certification decision of the AFNOR committee :

Despite some minor non-conformities to be corrected before the renewal audit. The auditor noted several strong points, which supported the certification decision of the AFNOR committee :

The certification granted is valid for 1 year and each renewal is carried out during a partial audit. After 3 years, a new audit is performed to follow the evolution of the ISMS over time. »

The certification granted is valid for 1 year and each renewal is carried out during a partial audit. After 3 years, a new audit is performed to follow the evolution of the ISMS over time. »

After months of work, we have obtained the two certifications we were aiming for. The work accomplished allows us to improve our organization day by day, to be able to offer new products like our Secure Private Cloud and to optimize our customer service:

After months of work, we have obtained the two certifications we were aiming for. The work accomplished allows us to improve our organization day by day, to be able to offer new products like our Secure Private Cloud and to optimize our customer service:

« If you are starting a certification project, here are some things to keep in mind:

« If you are starting a certification project, here are some things to keep in mind:

Any question ? A doubt ? A particular request ? Do not hesitate to contact us by clicking on this button below, we will answer you as quickly as possible.

Any question ? A doubt ? A particular request ? Do not hesitate to contact us by clicking on this button below, we will answer you as quickly as possible.