October 4, 2022 | Charles
Aridhia is delighted to announce that at the beginning of September we received our International Organization for Standardization ISO 27701 (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines) certification.
ISO 27701 is a framework for data privacy that builds on ISO 27001. This latest privacy best practice guides organisations on policies and procedures that should be in place to comply with GDPR and other data protection/privacy regulations and laws.
For Aridhia’s customers, ISO 27701 certification alongside our ISO 27001 and HITRUST certifications provides assurance that the FAIR and Workspaces services in our DRE comply to the highest levels of information security and privacy standards for healthcare and biomedical research.
Aridhia’s customers run both national and international trusted data sharing networks to better understand the impact and the nature of multiple conditions, from Covid-19 through to Alzheimer’s and cancer. They rely on us to assure access to and the use of highly privileged datasets to deliver their research and improve outcomes for patients.
To achieve certification, Aridhia undertook a complete review of all our processes, procedures, and the implementation of the ISO 27001 and HITRUST controls to identify the gaps between ISO 27001/HITRUST and ISO 27701. Working across all areas of the company we spent six months addressing the gaps, developing, and implementing, policies and procedure to address the additional forty-one controls introduced by ISO 27701. BSI independently audited these twice. A stage 1 audit, conducted in Q1 of this year, resulting in three minor corrective actions, and a Stage 2 certification audit in Q2 of this year to confirm that Aridhia met the standard. This resulted in Aridhia completing the certification with no minor non-conformances logged after the auditor conducted interviews with the various development, customer enablement, finance, HR, service desk, OPS, and senior management teams to demonstrate that the implementation of the controls met the standard.
The certificate’s controls cover Aridhia’s responsibilities as a data processor for customers and as a data controller for our internal systems. It introduces guidance for PII controllers such as documenting lawful basis, consent, data subject access requests, rights of erasure, privacy by design and guidance for PII processors such as disposal of PII, sharing, transfer, and disclosure.
Staying Ahead of the Curve
While Aridhia was already an ISO 27001 certified organisation, this level of compliance required a further significant investment in time and resources. We believe however that increased compliance beyond ISO 27001 will increasingly become the norm in our sector, and becoming an early adopter of the ISO 27701 certification puts Aridhia ahead of the curve and into a further level of maturity in this critical domain.
Meanwhile, the cybersecurity bar keeps rising and we are already working towards the next level of certification – UK Government Cyber Essentials Plus certification, which we expect to achieve in Q4 2022. For more information on our certifications, visit our security page.