Client Case Study: Uralensis Innov8

Overview

Uralensis Innov8 develop and provide software solutions aimed at addressing the needs of the pathology sector, built by pathologists for pathology, the 5 modules which can be subscribed to individually, or taken as a whole for a complete digital solution, provide:

  • Online diagnostic reporting app accessed by monthly subscription (Pathub Pro)
  • Pathology LIMS for hospitals, fully integrated to existing infrastructure (PathHub LIMS)
  • Whole slide image viewer & analyser (PathHub Digital)
  • Management app for multi-disciplinary teams: (PathHub Tumor Board)
  • Global collaboration app for 2nd opinion experts (PathHub Consults)

Uralensis found that increasingly, NHS trusts and private medical clients required a level of assurance, that their data was being handled within NHS guidelines and that buyers were looking for the company to be certified to a recognised standard. So, Uralensis Innov8 approached Click and Protect to assist them in gaining ISO27001 certification. 

Approach

Click and Protect (C&P) wanted to ensure that Uralensis Innov8 will be able to reassure clients that their data will be safe and secure by being complaint to regulations. This is how C&P approached this…

The certification process started with Uralensis Innov8’s CEO Dr. Iskander Chaudhry, approaching Click and Protect after a number of major and minor non-compliances had been raised at their Stage 1 audit for ISO27001 certification. The stage 1 audit establishes; if the key elements of the Information Security Management System (ISMS), are in place and understood by the organisation. Uralensis Innov8 had fallen into the trap that many small organisations only think about the policies that make up the ISMS and then buy a template document from the internet, instead of writing policies which directly relate to the processes they perform.

One of the major non-compliances from the initial audit was that the policies were too generic. Their policies didn’t link appropriately to processes that the company had in place, to actually run their service. Unfortunately, the accreditors gave Uralensis around three weeks to correct their findings found in the first audit. 

So, what did C&P do?

So, to achieve this turnaround quickly, Click and Protect began by reviewing the 104 documents which had been created for the ISMS. C&P removed any documents that were not relevant and consolidating them to enable Uralensis to easily manage the ISMS. The other key element missing from the ISMS at the time, was the collation of evidence that the company was actually doing what they said they were carrying out in the policies. This is a key element of all management systems, but even more relevant to information security, as it is the only method of proving that security controls are in place and being followed.

C&P also reviewed the Statement of Applicability (SoA) for the ISMS. This states which of the controls are relevant to the organisation and which are not. As the solution provided by Uralensis is a cloud-based solution, this meant that many of the controls such as; operating system patching and physical controls on access to the servers etc, where part of the service that they purchased, were therefore excluded from the ISMS. This review removed a number of controls from the SoA, meaning that the only evidence they had to supply to the accreditors was that the cloud service was already accredited.

Click and Protect defined the evidence and the records that Uralensis needed to keep, and brought the policies into line with what the company. C&P also defined a continual improvement plan into which all the findings from the stage 1 audit were incorporated and with Uralensis staff began to methodically define a plan of action to correct these findings.

One key issue that concerns companies when they go for accreditation to ISO27001, is that they feel they need to correct every problem or security loophole which exists, before they can gain accreditation. This is not true. Click and Protect ensured that Uralensis understood the risks and weaknesses in their ISMS, record these and have a plan to correct them, as this is what the accreditors are looking for to pass ISO27001. The plan was then examined on subsequent audits to show that the security is being maintained and managed successfully.

Client Feedback

The team at C&P had a chat with Uralensis Innov8’s CEO Dr. Iskander Chaudhry, for his feedback on the process…

How would you describe C&P’s services and working with them on this project?

“Uralensis Innov8 Limited has been working with Kevin Else from Click and Protect and signed up to the C&P services in preparation for its first ISO27001. We have worked with Kevin in the past for a US tender submission and required cyber security protocols which Kevin provided us with, including the relevant documentation and consultancy. C&P’s Services are a great way to get the best of ISO27001 accreditation, as it is an affordable and personal service.”

“The C&P team are fantastic to work with and are highly organised. We plan to renew each year and fully trust them. The team were able to deliver in time for our rushed IS27001 audit deadline. They had a set methodology; a project plan and delivery scheme, perfect for a small company like ours.” 


What are the benefits to you after using C&P’s s certification assistance service?

“It’s been a huge benefit to have ISO27001 and to get our accreditation. The team are
available for future audits and to keep monitoring our systems. We require this for the
Healthcare Sector that we operate in. Having the consultancy support of Click and Protect allows us to have increased credibility within a competitive market.”

 

Would you recommend Click and Protect to another business?

“We would highly recommend C&P’s services to anybody interested in having their ISO27001 standards designed, planned and audited, in particular around cybersecurity. It is ideal for small companies like ours, that don’t have staff with specialist knowledge in house. C&P are able to provide guidance on the asset registers as well as the statement of applicability. They help in devising the scope of the project and putting in the relevant controls. Kevin is very easy to approach and fantastic to work with and we hope to have a long-term business relationship with their organisation.”

Results

So to summarise…

Click and Protect wanted to make the process of client acquisition easier and more efficient for Uralensis. For example, so their customers wouldn’t worry about how their data is being handled. With Click and Protect’s help, Uralensis Innov8 achieved ISO27001 accreditation and are now using Click and Protect’s subscription-based service. This ensures that ongoing improvements in security and constant monitoring of the effectiveness of the ISMS, are in place and helping them win more customers.