13 min read
Ensuring security: ISO 27001 for medical software development
When developing medical device software, you’ll handle patient data, including sensitive health information. Implementing ISO 27001 enables you to build a documented and audited information security management system that supports protection of this data and reduces the risk of breaches.
TL;DR: ISO 27001 for medical software development in a nutshell
This guide explains ISO 27001 for medical software development, focusing on how medical software companies can protect patient data and manage information security risks.
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection is an international standard providing requirements for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS).
You can divide the process of creating, implementing, maintaining, and improving your ISMS into 7 steps. Also, to ensure you account for every potential risk, ISO 27001 proposes 93 information security controls.
What is ISO 27001?
ISO 27001 is an international standard which provides requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
Compliance with ISO 27001 demonstrates that an organisation has implemented a system to manage risks related to information security, adhering to the internationally recognised best practices.
The advantage of this standard is that its requirements are generic. As of 2025, ISO 27001 can be applied to any organisation, no matter the type, size, or industry. This means it can also be adopted when developing medical device software as a strategic decision for the entire company.
In this article, we primarily focus on companies related to medical software development.
What are the three principles of ISO 27001?
The three principles which form the foundation of ISO 27001 are known as the CIA (Confidentiality, Integrity, Availability) triad.
Confidentiality – only the right people can access the organisation's information.
Information integrity – data that the organisation uses to pursue its business or keeps safe for others is reliably stored.
Availability of data – the organisation and its clients can access the information whenever necessary to satisfy business purposes and customer expectations (source: ISO).
The core principles supporting ISO 27001 are important in helping companies establish and implement processes which can manage development and the overall lifecycle of medical device software.
Brian Goemans & Richard Vincins
Together, these three principles ensure that information is protected holistically – shielded from unauthorised access, kept accurate and trustworthy, and available whenever needed. When going through the ISO 27001, you will see those three principles manifest themselves at every turn.
What’s the goal of organisation in ISO 27001?
The goal of ISO 27001 is to protect sensitive information (including patient data, employee data, and other organisation’s assets) by identifying and managing security risks across the organisation.
How to achieve the goal of ISO 27001?
A company should look at both what is happening inside and outside of the organisation (internal and external issues) that could affect information security.
Internal issues might include staff skills, processes, or technology.
External issues could be regulations, market changes, or cyber threats.
DEFINITION
Information Security Management System (ISMS) is a structured framework of policies, processes, and controls designed to protect an organisation's information. This system preserves the confidentiality, integrity, and availability of information by applying a risk management process.
Now that we understand what the company aims to do, let’s see how ISO 27001 proposes we think about the process of developing and implementing ISMS.
ISO 27001 for medical software development – step by step guide
Let’s break down the main clauses of the ISO 27001. We will provide a step-by-step guide to developing medical device software with information security in mind.
1. Define the scope and organisational context
Start by defining the ISMS's "boundaries and applicability" to establish its scope. To put it in simple words, determine what part of your organisation ISMS will cover, e.g., test environments, cloud infrastructure, or the onboarding of new employees.
When going through that part, you need to:
consider external and internal issues to your company's information security (Clause 4.1),
identify interested parties, e.g., clients, services providers (Clause 4.2),
determine the scope of information security management system, such as interfaces and dependencies between the activities performed by the organisation and those conducted by other organisations (Clause 4.3),
establish, implement, maintain and continually improve an ISMS (Clause 4.4).
The result of this stage? A document covering scope, context, stakeholders, factors, and other information necessary to establish ISMS.
2. Ensure leadership commitment
Active leadership in setting and following the ISMS's direction is crucial when introducing information security into medical device software development. ISO 27001 underscores the importance of the company’s leadership in ensuring that every element of the ISMS aligns with the organisation's other policies.
Leadership under ISO 27001 goes beyond formally approving an Information Security Policy. Top management is responsible for setting the direction for information security, ensuring it aligns with the organisation’s other policies, aims, and culture.
This include:
overseeing the ISMS,
assigning roles and responsibilities,
allocating resources to support internal operations.
3. Plan the ISMS
When planning for the ISMS, you will have to plan the information security risk assessment, information security risk treatment, and information security objectives.
3.1. Apply information security risk assessment
When developing medical device software, conducting a risk assessment is a necessity. It’s required by ISO 27001 for information security.
ISO 27001 demands that you define and apply an information security risk assessment process that:
establishes and maintains information security risk criteria,
ensures that repeated information security risk assessments produce consistent, valid and comparable results,
identifies the information security risks (including risk owners),
analyses the information security risks (including the likelihood of the occurrence and levels of risk),
evaluates the information security risks (source: ISO 27001).
TAKE NOTICE
Learn more about risk management from our article on ISO 14971.
3.2. Conduct risk treatment
Once you finish a risk assessment, you can either accept the risk or treat the risk.
The risk treatment process includes:
selecting appropriate information security risk treatment options,
determining all controls that are necessary to implement the information security risk treatment option chosen,
comparing the determined controls with the Annex A to verify that no necessary controls’ve been omitted (we will get to the topic of controls and Annex A later on),
producing a Statement of Applicability,
formulating an information security risk treatment plan,
obtaining risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks.
That information might seem generic. That’s why we recommend you get to know ISO 27005, which offers guidance on developing risk assessment techniques suitable for your organisation.
What is the Statement of Applicability in ISO 27001?
Statement of Applicability contains the necessary controls, justification for their inclusion, whether the required controls are implemented or not, and the justification for excluding any of the Annex A controls.
During the certification process, an auditor will expect you to present this document. It depends on you, how you will show the necessary information. It can be a complex document or a simple table.
We’ll get back to the security controls suggested by ISO 27001 later.
3.3. Establish information security objectives
You should define clear information security objectives. They must align with the information security policy and be based on risk assessment results. Where possible, objectives should be measurable. They also need to be documented, communicated, monitored, and updated (Clause 6.2).
When planning how to achieve information security objectives, you shall determine: what will be done, what resources will be required, who will be responsible, when it will be completed, and how the results will be evaluated.
What’s more, any changes to ISMS should be planned to ensure that information security remains effective as the organisation evolves (Clause 6.3).
4. Choose the right resources
To effectively maintain your ISMS, you need to establish:
Resources
Determine and provide resources needed for the establishment, implementation, maintenance and continual improvement of the ISMS (Clause 7.1).Competence
Ensure that all your employees have the necessary skills and training to support the maintenance of the ISMS (Clause 7.2).Awareness
Build awareness among employees so they understand the information security policy, their role in the ISMS, and the potential results of noncompliance (Clause 7.3).Communication
Establish clear internal and external communication activities relevant to the ISMS. They can include: on what, when, with whom, and how to communicate (Clause 7.4).Documented information
You should document all the data regarding information security in an accurate, understandable way. It includes policies, procedures, records, and data (Clause 7.5).
5. Operate the ISMS
The next step is to perform the required tasks (Clauses 8.1-8.3). It’s where planning turns into action.
At this stage, you focus on implementing the security measures and controls identified earlier, including applying the risk treatment plans.
6. Evaluate ISMS performance
ISO 27001 requires ongoing performance evaluations and monitoring the effectiveness of the ISMS controls.
You can do it through:
regular internal audits which aim to assess if the ISMS conforms to the set requirements and is effectively implemented (Clause 9.2.2),
systematic management review to ensure that ISMS is aligned with the organisation’s strategy (Clause 9.3).
Bear in mind that results should be documented as evidence.
7. Improve the ISMS
You should know that working on ISMS never ends. Maintaining information security requires continuous improvement to ensure your ISMS remains effective as new internal and external issues arise.
Also, in Clause 10 of ISO 27001, you will find guidance on what to do if a nonconformity occurs after the implementation of an ISMS. There are several corrective actions you can undertake in such a scenario.
How many controls are there in ISO 27001?
There are 93 information security controls grouped into four categories listed in Annex A, ISO 27001. Together, they form a set of defined security controls for managing risks – from governance to technical safeguards. What’s crucial is that those controls are pretty flexible, allowing companies to tailor them to their specific needs, such as size or risk profile.
TAKE NOTICE
Security controls are listed in Annex A of ISO 27001:2022. If you need more insight on them, check out ISO 27002:2022. This standard goes in depth into each control.
What are the four security controls groups in ISO 27001?
Information security controls listed in Annex A, ISO 27001 are divided into four categories, which are:
organisational controls – the overall structure, policies, and mode of work of the organisation,
people controls – people who have access to the organisation’s information,
physical controls – physical assets of the organisation, such as buildings,
technological controls – organisation’s information systems and networks.
What are the organisational controls in ISO 27001?
Organisational controls in ISO 27001 are high-level measures that define how an organisation manages information security at a strategic level. This part is about establishing the structures, policies, responsibilities, and mechanisms to ensure security in every organisation’s operations.
You will find suggestions for establishing roles and responsibilities, planning a security strategy, and communicating and overseeing security.
There are 37 specific organisational controls, so we won’t list them all, but to give you some context, among them you will find:
contact with relevant authorities,
return of the organisation’s assets by the personnel in case of termination of their employment,
access control for physical and logical access to information and other associated assets shall be established and implemented in accordance with business and information security requirements.
You can find more information in table A.1 in Annex 1 of ISO 27001.
EXAMPLE OF THE ORGANISATIONAL CONTROLS
For a company developing a medical device, organisational controls may include defining who is responsible for approving access to sensitive patient data used during software validation or establishing procedures for reporting security incidents affecting the device’s cloud backend.
What are the people controls in ISO 27001?
People-related controls are measures that ensure personnel understand, support, and actively contribute to information security within an organisation. Those controls focus on shaping employee awareness and behaviour to make security a shared responsibility.
There are 8 people controls. Among them you can find:
formalised and communicated disciplinary process in case of information security policy violation,
security measures implemented when personnel are working remotely,
building information security awareness through ongoing training and education.
You can find more information in table A.1 in Annex 1 of ISO 27001.
EXAMPLE OF THE PEOPLE CONTROLS
For a company developing a medical device, people-related controls may include integrating security checks into the recruitment process for engineers working with sensitive health data, providing regular cybersecurity awareness training for developers, and ensuring that all team members understand procedures for handling potential data breaches during clinical validation.
Why are people controls important?
The number of people responsible for data breaches has been growing in recent years. According to IBM’s 2023 Cost of a Data Breach Report even 60% of all breaches involve the human element. By teaching employees through regular communication, people-related controls help create a secure culture. This reduces human-related risks and ensures that staff consistently recognise threats and follow established protocols.
What are the physical controls in ISO 27001?
Physical controls primarily address the security of facilities and other areas where information systems are located, such as rooms and buildings. These controls aim to prevent unauthorised access or physical damage to the assets supporting information security.
They also play a key role in ensuring that employees can perform their work in a secure, well-organised, and controlled environment. By managing how spaces in an organisation are accessed and monitored, physical controls minimise the risks of theft or accidental exposure of sensitive information.
There are 14 physical controls, which include:
physical entry to secure areas should be protected,
protecting power or data cabling from interception or damage,
securing and protecting equipment.
You can find more information in table A.1 in Annex 1 of ISO 27001.
EXAMPLE OF THE PHYSICAL CONTROLS
In a medical device company, physical controls typically include restricting access to server rooms where sensitive patient data or prototype devices are stored. The company might also implement secure storage for backup drives.
What are the technological controls in ISO 27001?
Technological controls are measures that focus on the security of the software, hardware, and systems used to process, store, and transmit information. They aim to protect data, prevent loss, and maintain the confidentiality of information.
Implementing technological controls involves identifying and managing technical vulnerabilities within systems to minimise the risk of exploitation. Those controls also ensure that stored information is resilient against unauthorised access.
There are 34 technological controls. Some of them are:
maintaining secure authentication,
stored information should be deleted when it is no longer needed,
applying measures to prevent data leakage.
You can find more information in table A.1 in Annex 1 of ISO 27001.
EXAMPLE OF THE TECHNOLOGICAL CONTROLS
For a company developing a medical device, technological controls typically include encrypting patient data, implementing firewalls, and using secure authentication methods for accessing software that controls the device.
How to achieve ISO 27001 certification?
You need to implement an ISMS compliant with ISO 27001 and undergo the audit with a certification body.
Certification body
an independent organisation that conducts audits and issues certificates confirming that a company, system, or process complies with the requirements of a specific standard.
Once you find a certification body that will conduct this process, they will conduct a two-stage audit:
Documentation review – including ISMS scope, policies, risk assessment, and Statement of Applicability.
Operational audit – verification of implemented controls, risk treatment, procedures, and adherence to policies.
During that process, the certification body might find some minor or major non-conformities you’ll have to address before receiving a certification. After that, you receive your certification confirming that you comply with ISO 27001.
Bear in mind that you must undergo a recertification process every 3 years, with an audit conducted each year. During these regular audits, a certification body will assess whether your ISMS still meets the requirements of ISO 27001.
What are the ISO 27001 benefits for medical device software important?
There are many benefits of ISO 27001 for medical software development. Most importantly, ISO 27001 manages information security risks. Following its requirements also demonstrates regulatory compliance and builds trust with healthcare providers.
So, let’s get into the most important reasons to follow ISO 27001 when developing medical device software.
Implementing an ISO 27001 integrated management system (IMS) or information security management system (ISMS) can support development of software and provide consistent operating parameters across an organisation. Additionally, medical device regulators now require cybersecurity risk assessment for any product that communicates with other devices through the internet or via other channels such as Bluetooth. An IMS or ISMS built upon the principles of ISO 27001 embeds the processes to manage these risks and appropriate defences and responses into the organisation and the development of SaMD products.
Brian Goemans & Richard Vincins
Protecting sensitive patient and clinical data
ISO 27001 established measures to protect sensitive health information, such as patient records and clinical trial data. When implementing controls provided by the standard, you can prevent unauthorised access and accidental exposure. This way, you ensure that critical information remains safe throughout the lifecycle of the medical device software.
Building trust with healthcare providers and patients
ISO 27001 certification demonstrates compliance with an international information security standard. And if you want healthcare practitioners and patients to use your product, you have to make sure you handle their data responsibly. So, if you're going to improve credibility with healthcare stakeholders, make sure you follow ISO 27001 requirements.
Ensuring regulatory compliance
Compliance with ISO 27001 helps organisations meet legal requirements, including GDPR and other healthcare regulations. One of them is MDR (Medical Device Regulation), which requires quality and safety management for medical devices. Thus, meeting ISO 27001 requirements supports MDR cybersecurity requirements.
Reducing risks of cyberattack
If you take the time to prepare information security management systems, you will be able to identify potential vulnerabilities and mitigate risks before something goes wrong. Following ISO 27001 requirements reduces the likelihood of data breaches, system failures, or human errors that can disrupt medical device use.
How do we do it at Revolve Healthcare?
At Revolve Healthcare, a medical software development company, we apply ISO 27001 across our full medical software lifecycle to protect client and patient data. This way we ensure that our clients receive secure, compliant, and reliable software.
We’re currently implementing our Information Security Management System. It covers every aspect of our organisation’s operations – from regulatory consulting, through design activities, to medical software development. We made sure it addresses all areas through which customer data may flow.
What does this mean for our clients? It ensures that:
data and systems entrusted to us (including code and documentation repositories, test data) are protected against unauthorised access,
every potential vulnerability is assessed and managed,
we are fully prepared to respond to incidents such as data leaks to maintain business continuity.
How do you start with ISO 27001 for medical software development?
By following ISO 27001 software development guidelines, organisations can ensure that every stage – from requirements to deployment – is aligned with strong information security principles.
But creating an ISMS isn’t something that can be done in a single day. We recommend approaching this process with patience and persistence. A good first step would be forming a dedicated working group to review the ISO 27001 recommendations and perform gap analysis in your organisation.
Which ISO standards support ISO 27001?
When developing your ISMS, take notice of different standards which might be helpful:
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems – Requirements: the core standard for establishing and implementing an ISMS,
ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls: detailed information on security controls that organisations can implement to mitigate information security risks,
ISO/IEC 27003:2017 Information technology – Security techniques – Information security management systems – Guidance: guidance on ISMS implementation, helping organisations plan and execute ISMS effectively,
ISO/IEC 27005:2022 Information security, cybersecurity and privacy protection – Guidance on managing information security risks: specifically focused on information security risk management, offering methodologies for identifying, assessing, and treating risks.
What else to include?
We also encourage you to consider whether external companies involved in the development of medical device software have an ISMS in place. Doing so provides greater assurance that both your company’s and your customers’ data remain secure.
Key takeaways
ISO/IEC 27001:2022 is the international standard for establishing and maintaining ISMS,
In medical software projects, ISO 27001 helps identify, assess, and manage information security risks across the full software lifecycle,
the standard is based on the CIA triad: confidentiality (preventing unauthorised access), integrity (ensuring data accuracy), and availability (ensuring data is accessible when needed),
ISO 27001 implementation follows a structured, risk-based approach, including defining ISMS scope, leadership involvement, risk assessment and treatment, control selection, performance evaluation, and continuous improvement.
FAQ
Can we help you develop medical device software?
We will gladly assist you through the medical software development compliant with ISO 27001.
