In September 2022 we informed you that Aqua Ray had been certified as compliant with the requirements of the ISO27001 and HDS (Health Data Hosting) security standards. For this article, Aqua Ray's CISO* Loïc Quentin, answered a few questions to go over the steps that were necessary to obtain these certifications.
In September 2022 we informed you that Aqua Ray had been certified as compliant with the requirements of the ISO27001 and HDS (Health Data Hosting) security standards. For this article, Aqua Ray's CISO* Loïc Quentin, answered a few questions to go over the steps that were necessary to obtain these certifications.
*RSSI (Information Systems Security Manager): the expert who guarantees the security of the information system. He/she develops, implements and monitors the application of a company's information security policies.
*RSSI (Information Systems Security Manager): the expert who guarantees the security of the information system. He/she develops, implements and monitors the application of a company's information security policies.
Step 1: Identification of repositories
Why did you embark on this certification process?
« The objective with these certifications was to be able to guarantee our customers a responsible and secure treatment of their data from a common reference base: the ISO27001 standard. »
« The objective with these certifications was to be able to guarantee our customers a responsible and secure treatment of their data from a common reference base: the ISO27001 standard. »
What is a repository?
« It is a list of requirements associated with a standard. The ISO27001 and HDS standards concern the ISMS*. HDS is based on ISO27001 and adds some additional requirements specific to health data. »
« It is a list of requirements associated with a standard. The ISO27001 and HDS standards concern the ISMS*. HDS is based on ISO27001 and adds some additional requirements specific to health data. »
*The ISMS (Information Security Management System) is the set of technical and organizational means implemented to guarantee the availability, integrity and confidentiality of data processed by the company. This includes both security policies and the equipment used, for example.
*The ISMS (Information Security Management System) is the set of technical and organizational means implemented to guarantee the availability, integrity and confidentiality of data processed by the company. This includes both security policies and the equipment used, for example.
The ISO27001 and HDS standards aim to ensure that the measures implemented comply with a spectrum of requirements that are recognized as sufficient worldwide to guarantee that data is handled correctly.
The ISO27001 and HDS standards aim to ensure that the measures implemented comply with a spectrum of requirements that are recognized as sufficient worldwide to guarantee that data is handled correctly.
The HDS standard is available on the ANS website (Digital Health Agency). However, the complete content of the ISO27001 standard is not publicly available (the 2013 version will be replaced by the 2022 version published last october).
The HDS standard is available on the ANS website (Digital Health Agency). However, the complete content of the ISO27001 standard is not publicly available (the 2013 version will be replaced by the 2022 version published last october).
Step 2: Status of the situation
How was Aqua Ray's ISMS assessed against these standards?
« Once the repositories were identified, we began by taking stock of Aqua Ray :
« Once the repositories were identified, we began by taking stock of Aqua Ray :
This state of the situation is established by conducting an audit with a specialized consultant who advises us on how to implement the various requirements.
Once the assessment is complete, the longest part of the job begins: upgrading the ISMS to meet all the requirements of ISO27001 and HDS. »
This state of the situation is established by conducting an audit with a specialized consultant who advises us on how to implement the various requirements.
Once the assessment is complete, the longest part of the job begins: upgrading the ISMS to meet all the requirements of ISO27001 and HDS. »
Step 3: Compliance
How did the ISMS comply with these standards?
« For months, with the help of our consultant, we dealt with all the points of non-conformity identified, formalizing our working methods with clear security policies and implementation procedures. Sometimes it was necessary to change our habits, but on the whole, it was a matter of formalizing good practices already applied.
« For months, with the help of our consultant, we dealt with all the points of non-conformity identified, formalizing our working methods with clear security policies and implementation procedures. Sometimes it was necessary to change our habits, but on the whole, it was a matter of formalizing good practices already applied.
Everything is reviewed: from physical access control policy to equipment disposal procedures, from managing the arrival of new employees to the policy for communicating information to customers.
Everything is reviewed: from physical access control policy to equipment disposal procedures, from managing the arrival of new employees to the policy for communicating information to customers.
The whole life of the company is involved, and all employees are stakeholders in the project. At the same time, we trained Aqua Ray staff in Information Security and I was appointed as the CISO to lead the project. »
The whole life of the company is involved, and all employees are stakeholders in the project. At the same time, we trained Aqua Ray staff in Information Security and I was appointed as the CISO to lead the project. »
Step 4: Internal Audit
When was the certification audit scheduled?
« Once we felt ready, we planned another internal audit with our consultant. This one is conducted like a certification audit, meaning the auditor stands outside the ISMS and interviews us in an unbiased manner.
We conducted this audit in early 2022. At the end of the audit, we identified some residual non-conformities that we thought we could address before the summer.
So we contacted AFNOR (the reference organization for ISO27001 and HDS certification) and agreed on a date in the summer of 2022. »
« Once we felt ready, we planned another internal audit with our consultant. This one is conducted like a certification audit, meaning the auditor stands outside the ISMS and interviews us in an unbiased manner.
We conducted this audit in early 2022. At the end of the audit, we identified some residual non-conformities that we thought we could address before the summer.
So we contacted AFNOR (the reference organization for ISO27001 and HDS certification) and agreed on a date in the summer of 2022. »
Step 5: Final audit
How did the final audit go? Was the compliance beneficial?
« The final audit was divided into 2 parts:
« The final audit was divided into 2 parts:
-
In May 2022: an auditor performs a review of a few key documents to assess our maturity and that of our ISMS with regard to our certification application.
-
In July 2022: the auditor conducts a full audit of our ISMS, premises, facilities and personnel to verify that all requirements are met.
Despite some minor non-conformities to be corrected before the renewal audit. The auditor noted several strong points, which supported the certification decision of the AFNOR committee :
Despite some minor non-conformities to be corrected before the renewal audit. The auditor noted several strong points, which supported the certification decision of the AFNOR committee :
-
A strong commitment from Aqua Ray management has been noted : The entire management team is involved in the certification and compliance process. This project is not just mine, but the entire company's.
-
Information security policies are stored and managed via an internal documentation tool. The list of policies is complete and well structured in its follow-up (validation, approval, classification, last modification, ...). All these policies are accessible to all employees. Each policy update is communicated internally to the people concerned [...] : Our document base is accessible to all employees, so everyone can participate in its improvement.
-
Physical and environmental security very satisfactory : Our Tier IV certified data center has good physical security guarantees.
-
Very good level of infrastructure resilience/redundancy : We have several network loops, as well as possible access via an independent network, as presented in our articles on Starlink
1 2
The certification granted is valid for 1 year and each renewal is carried out during a partial audit. After 3 years, a new audit is performed to follow the evolution of the ISMS over time. »
The certification granted is valid for 1 year and each renewal is carried out during a partial audit. After 3 years, a new audit is performed to follow the evolution of the ISMS over time. »