SHM pursuing ISO 9001 and ISO 27001 certification

Since 2002, Stichting HIV Monitoring (SHM) has been collecting pseudonymised data on people living with HIV and in care in one of the 26 appointed HIV treatment centres in the Netherlands. When it comes to the collection, processing, storage and use of these data, privacy and data security are of paramount importance and are a priority within SHM. As formal evidence of SHM’s commitment to these issues, SHM is currently in the process of acquiring two ISO certificates: ISO 9001 and ISO 27001.  We spoke to SHM’s data protection officer, Brenda Tuk-Stuster, and ISO certification project manager, Anna Jansen, about why ISO certification is important for SHM and how the project is proceeding.

What do ISO 9001 and ISO 27001 entail?

“ISO certificates are assigned to organisations that fulfil specific internationally-recognised quality standards. The ISO 9001 standard concerns quality management systems and assesses whether an organisation is capable of meeting regulatory, client and internal requirements. The ISO 27001 standard focuses on data security, and covers both company data and data made available to an organisation, such as patient data in the case of SHM.  After attaining the certification, organisations are subsequently subjected to an annual assessment of these requirements to retain the certification,” explains Brenda.

Why is it important for SHM to acquire these ISO certificates?

“Although ISO certification is not yet a formal requirement for activities such as those carried out by SHM, we are keen to gain such certification because it underlines how seriously SHM takes information security and demonstrates that all our processes involving information security, data protection and quality management are robust,” Anna explains. Brenda adds: “In addition, a new European regulation will come into force in May 2018, namely the European General Data Protection Regulation (GDPR). This law is intended to strengthen individuals’ privacy rights and places more responsibility with organisations. For example, organisations now have to prove that they have taken the appropriate organisational and technical measures to protect personal data. SHM will also have to comply with this new regulation. Since the requirements for ISO 27001 certification are very close to those laid down by the GDPR, it makes sense to attain ISO 27001 certification. In addition, ISO certification in general is becoming increasingly important and many companies now expect business partners to be certified. After all, it is an indication that the organisation you are working with has reliable and secure processes in place.”

What steps are involved in the process?

“Certification requires us to define and document all the processes and risks within SHM. Many of these processes had already been documented and have been updated where necessary. Remaining processes have been clearly detailed by the relevant departments and risks have been identified in consultation with SHM staff. We are now incorporating all the processes and risks in a quality management handbook,” Anna explains.  “This is a living document that will require ongoing fine-tuning and adjustment. ISO standards stimulate organisations to adopt a risk-based approach that should become an integral part of all processes within the organisation. Such an approach involves mapping risks within the organisation on an ongoing basis, keeping staff informed and, where necessary, providing staff training. It also requires developing a system to allow ongoing assessment and improvement; to achieve this within SHM, we use the Plan-Do-Check-Act (PDCA) cycle.”

“During the application process we realised how important it is to have a thorough understanding of the standards. Although we already had a great of knowledge in-house, we sought specialist assistance for certain areas.  This allowed us to remain closely involved in the process, which is important to us as an organisation, since we believe the experience gained will help in our ongoing improvement process”.  

Brenda continues: “We hope to have completed the certification process in the first half of 2018. At the moment we are in the final phase of checking that we fulfil all the requirements prior to actually initiating the certification process. We also have to run through the full PDCA cycle at least once." Anna adds: “An independent certification agency will then carry out an audit that will result in a report and the appropriate ISO certification.”

What happens once the certification has been attained?

“After we attain the certification, we will be subjected periodic re-assessments and it is therefore important that the requirements become embedded in the organisation  and that we maintain an ongoing improvement process, keep staff aware of issues, and provide training where necessary. Moreover, by actively implementing a continuous improvement strategy, we can pinpoint areas that may need attention and thereby safeguard data security at SHM and maintain the quality of our processes. Not only should this improve efficiency, it will also enhance the long-term sustainability of our work,” concludes Anna.