This year, we conducted our first State of Digital Health Compliance Survey to uncover the challenges, costs, and concerns digital health organisations face in achieving compliance. A key insight? Over half of organisations not yet compliant plan to achieve ISO 27001 certification in 2025, with 20% already certified or actively working towards it.
So, why is ISO 27001 becoming a top priority for digital health companies?
In this blog, we’ll explore why more digital health organisations are pursuing the certification, highlight its benefits for digital health, and explain its growing relevance in the sector. Looking for a detailed breakdown of the certification process? Check out our Comprehensive Guide to ISO 27001 for detailed guidance.
ISO 27001 is the internationally recognised standard for creating, maintaining, and improving an Information Security Management System (ISMS). An ISMS is essentially a framework of policies, processes, and controls that ensure your organisation is doing all it can to keep data secure.
The standard takes a risk-based approach to safeguarding information, emphasising the confidentiality, integrity, and availability of data. For digital health companies, where handling sensitive patient information is routine, these safeguards are critical, not just for protection but to meet the security expectations of customers, regulators, and partners.
Achieving ISO 27001 certification involves:
Handling health data or developing systems that interact with it comes with immense responsibility. For digital health organisations, ISO 27001 certification offers a practical way to:
While ISO 27001 isn’t always required for NHS contracts (we’ll come back to this later), it’s increasingly seen as a key differentiator - particularly for companies looking to work with private healthcare providers or international buyers.
For some, like those participating in Germany’s DiGA scheme, ISO 27001 is often essential. To get listed as a DiGA, companies must meet stringent security requirements, and ISO 27001 is often one of them. Without it, approval and listing may not even be an option.
Beyond these specific needs, ISO 27001 provides a range of benefits for digital health organisations:
ISO 27001 ensures your organisation has robust processes in place to reduce the risk of data breaches and unauthorised access. Even if your solution doesn’t handle sensitive health data, certification shows your commitment to keeping systems and information secure while reducing the likelihood of data breaches and disruptive cyber attacks.
Certification signals to buyers, whether NHS, private healthcare providers, or international customers, that your organisation prioritises security. ISO 27001’s global recognition makes it particularly valuable for companies expanding into international markets like the EU or the US, where it is already well-established as a benchmark for information security.
While ISO 27001 isn’t always mandatory, its requirements overlap with essential regulatory standards including GDPR, Cyber Essentials, NHS DSPT and DTAC. While certification won’t cover all NHS requirements, it lays a strong foundation, easing the overall compliance process.
ISO 27001 promotes a systematic approach to identifying and managing risks, making your organisation more resilient against cybersecurity threats and incidents. By embedding continuous risk management processes, you’re better prepared to log near misses, respond to potential breaches, and implement measures to prevent future occurrences.
With upcoming regulations like the Cyber Security and Resilience Bill in the UK, NIS2 in the EU, and new AI governance measures, cybersecurity requirements are only becoming more demanding. ISO 27001 positions your organisation well to adapt to these changes. For UK companies, where the government is focused on prioritising healthcare cyber resilience (e.g., through the DSPT’s transition to the Cyber Assessment Framework), ISO 27001 provides a significant head start in staying compliant with future expectations.
The answer depends on your role as a supplier and the services you provide to the NHS. For companies handling critical IT systems or processing personally identifiable data, certifications like Cyber Essentials Plus (CE+), or ISO 27001 are often essential.
While ISO 27001 compliance isn’t mandatory for all digital health suppliers, it provides significant advantages when working with the NHS. For instance, an up-to-date ISO 27001 certification - properly scoped to cover health and care data processing - can streamline parts of the NHS DSPT and DTAC compliance processes. It reduces the workload by fulfilling equivalent requirements for specific assertions and evidence.
However, it’s crucial to understand that ISO 27001 alone doesn’t satisfy all NHS cybersecurity requirements. Specifically, it doesn’t address NHS-specific needs like Personal Confidential Data (PCD) handling or mandatory staff training. This means you’ll still need to complete the NHS DSPT, even if you’re ISO 27001 certified.
If you’re aiming to become a supplier on the Health and Social Care Network (HSCN), ISO 27001:2013 certification is a requirement. This certification must be based on an audit of your Information Security Management System (ISMS) conducted by a UKAS-accredited auditor, with the audit scope pre-approved by HSCN Compliance.
While ISO 27001 might not always be a strict requirement, its benefits make it a valuable investment for digital health organisations working with or hoping to work with the NHS.
The short answer is: not always. If your work doesn’t involve HSCN (Health and Social Care Network) or other specific NHS requirements, your ISO 27001 certification doesn’t necessarily need to be UKAS-accredited.
A UKAS-accredited certification can add credibility, particularly when working in international markets. UKAS (United Kingdom Accreditation Service) accreditation means your external audit is conducted by a UKAS-approved certification body, which tends to carry more weight in procurement processes. However, it’s worth noting that this comes at a higher cost. UKAS-accredited audits typically cost around £1,500 per day, with audit durations ranging from 3 days to 3 weeks, depending on your organisation’s size, complexity, and the scope of certification.
Opting for a non-UKAS-certified audit is a more cost-effective option and doesn’t diminish the effort or scrutiny involved in achieving ISO 27001. Many organisations successfully win tenders and bids without UKAS accreditation, as long as they meet all the necessary standards.
If a customer or partner requires ISO 27001 certification, it’s a good idea to confirm whether UKAS accreditation is essential for their specific needs. In many cases, non-UKAS certification is sufficient, but double-checking can save you unnecessary costs or complications down the line.
Don’t feel pressured into opting for a UKAS-certified audit under the assumption that “it won’t count otherwise.” If you’re pursuing ISO 27001 to strengthen your organisation’s information security posture, rather than to meet a specific customer requirement, a non-UKAS audit will be more than sufficient. If a customer or partner requests UKAS accreditation later, you can always upgrade at that point - saving yourself time and money in the meantime.
Achieving ISO 27001 certification is a significant milestone, but it’s only the beginning of your journey. One of the key aspects of the standard is continuous improvement, ensuring that your Information Security Management System (ISMS) evolves to meet new risks and challenges.
After your audit, your ISMS shouldn’t become a static set of documents collecting dust until the next certification. To maintain your ISO 27001 certification, which must be renewed every three years, your organisation must actively adhere to and update the processes outlined in your ISMS. This is especially important for digital health organisations, which often face additional yearly compliance requirements to continue supplying the NHS.
Maintaining compliance means regularly:
With Naq, achieving and staying ISO 27001 compliant is seamless. Our platform is designed to help you maintain the processes outlined in your ISMS effortlessly:
Over 150+ digital health innovators are using Naq to streamline their compliance processes. As one of our customers put it:
“The Naq platform is so simple, and everything is straight to the point – what tasks you need to do, policies you need to implement, and training to roll out. It makes our lives easier.”
Whether you’re just starting your compliance journey or looking for a smarter way to manage ongoing requirements, Naq’s platform takes the complexity out of ISO 27001 compliance. Book a demo with our team or read how Decently achieved NHS compliance cheaper, faster and easier with Naq.