The article below summarizes some of my thoughts and experiences in helping small Medical Device companies implement an ISMS and achieve IEC 27001 certification.
December 2025, Leslie Dow
The Information Security Management System (ISMS) is the cornerstone for managing and protecting organizational information. It establishes clear boundaries, defines information management responsibilities, and outlines protection strategies for critical assets. While the initial impulse might be to protect all information equally, an effective ISMS requires thoughtful consideration of what truly needs protection. For small organizations, particularly, the way you define your ISMS can mean the difference between success and failure. This article outlines three critical considerations when establishing your ISMS.
1) Carefully consider the scope of the ISMS
ISO 27001 extends far beyond IT considerations. It encompasses all forms of information—spoken, written, and electronic—within your certification scope. A common misconception is that ISO 27001 primarily concerns IT operations when, in reality, it applies to any organizational unit that owns or manages information within the ISMS scope.
Finding the right scope balance is crucial. An overly broad ISMS becomes unwieldy to implement and manage, while one that’s too narrow fails to deliver expected value. While your ISMS doesn’t need to cover your entire organization, it should encompass information critical to business success and protect your most valuable assets.
Consider this practical example: A healthcare technology company chose to initially limit their ISMS scope to its clinical laboratory and clinical products, including those involved in industry collaborations. This focused approach allowed for successful implementation in key areas, with plans to expand to their R&D organization as resources became available.
2) Align Your ISMS with Your Quality Management System (QMS)
The substantial overlap between ISMS and QMS requirements presents a valuable opportunity for streamlined compliance. Since your organization already understands QMS processes, structuring your ISMS to complement existing quality systems can significantly ease adoption.
Key areas of alignment include:
- Leadership oversight and commitment requirements
- Corrective and preventive action processes
- Vendor assessment and management procedures
- Software development lifecycle controls
You can enhance existing QMS policies by incorporating information security considerations. For instance, expand your software development procedures to include security requirements, secure coding guidelines, and security testing protocols. This integration helps satisfy both IEC 27001 requirements and FDA cybersecurity guidances, which often complement each other.
3) Plan and implement your ISMS using a risk-based approach
Small organizations pursuing ISO 27001 certification should prioritize addressing high-risk items. Your Information Risk Register becomes an essential tool for identifying, assessing, and planning risk mitigation strategies.
While organizations familiar with ISO 14971 might be tempted to adapt their existing safety risk management framework, experience shows that maintaining a separate Information Risk Register is more effective. While these risk management processes should interact, keeping them distinct offers several advantages:
- Simplified reporting structures
- Clearer assessment criteria
- More focused mitigation strategies
- Reduced confusion among subject matter experts
The key is ensuring these parallel risk management processes communicate effectively while maintaining individual integrity. This approach allows each system to serve its specific purpose while contributing to the organization’s overall risk management strategy.
Remember that successful ISMS implementation doesn’t require perfection from day one. Start by protecting your most critical information assets, establishing clear boundaries, and building upon your existing quality management framework. This focused, risk-based approach will help ensure your ISMS provides real value while remaining manageable and sustainable.