ISO/IEC 27001 – the foundation of information security at Graylight Imaging
Information security and protection within a company are key standards of responsible organizational management. This is especially true in the medical technology field, where new technologies leverage patient image data. At Graylight Imaging, we work with this type of data every day—information that requires the highest level of protection. That is why we have decided to implement the ISO/IEC 27001 standard.
What is ISO/IEC 27001?
It is an international standard that sets the principles for information security management within an organization. The standard specifies the principles by which companies should build and operate robust data protection systems.
In its daily operations, Graylight Imaging also manages data that requires adequate security and protection against unauthorized access, loss, or breaches.
Therefore, in line with our responsibility to ensure information security, we have implemented the PN-EN ISO/IEC 27001:2023-08[MP1.1][AK1.2] standard across our organization. This is confirmed by the certificate we have been awarded.
Why is ISO/IEC 27001 crucial to Graylight Imaging?
Graylight Imaging specializes in developing medical algorithms for image analysis and in medical imaging software. The solutions we design for our clients are tailored to their individual requirements and primarily rely on artificial intelligence technologies.
In our projects, we work with image data, including medical images such as MRI, CT, and angio-CT, which contain particularly sensitive patient data. Creating systems based on this type of data requires compliance with exceptionally high information security standards.
The ISO/IEC 27001 standard confirms that Graylight Imaging employs controlled, secure data processing procedures and provides adequate protection.
Credibility and trust
Moreover, we believe that implementing ISO/IEC 27001 will significantly enhance our customers’ trust and credibility. This certificate confirms that our information security management processes meet the highest standards and that the medical data entrusted to us by customers in the projects we carry out for them is protected in a professional, transparent, and integral manner.
ISO/IEC 270001, or how we implemented the standard
The implementation of ISO 27001 required considerable commitment and effort on our part, including a meticulous review of the company’s operations and the systems on which the organization operates.
It was necessary to define and assess risks, reanalyze existing procedures, and design security paths that realistically reflected how we work. Furthermore, they had to be practical and effectively protect the company’s and our customers’ data. Our goal was to create an effective Information Security Management System that genuinely supports the organization’s activities, rather than being a formal set of documents for its own sake.
The next step was to organize the results of the analyses, audits, and reviews and translate them into consistent procedures, policies, and organizational records. This resulted in a transparent and functional Information Security Management System aligned with PN-EN ISO/IEC 27001:2023-08.
During ISMS implementation, we also considered applicable legal regulations, including the GDPR (EU 2016/679) on the protection of personal data and the MDR (EU 2017/745) on medical devices, particularly in the context of cyber risk management.
External audit
The final step was an audit conducted by an external certification body. The auditors checked the processes in all departments of the company. They spoke with employees and assessed how information security management procedures are implemented in their day-to-day work. We passed the audit and were awarded the aforementioned certificate.
Information Security Policy
As part of its data management activities, Graylight Imaging has implemented and operates an Information Security Policy. This is a top-level document that regulates the company’s information protection rules. The document must be followed by all employees and contractors working with the company. Its aims include raising the team’s awareness of information protection.
‘The policy sets out general guidelines for Graylight Imaging’s approach to information security and forms the basis for all further procedures, instructions and specific policies that are established as part of our Information Security Management System (ISMS),’ says Marek Pitura, Head of Project Management and a specialist who ensures that Graylight Imaging operates in accordance with the required standards.
Why is the Information Security Policy so important? The document ensures a consistent, conscious approach to data protection; enables the identification and minimization of risks associated with processing information and medical data, including imaging data; and provides a basis for building a security culture within the organization. Thanks to the Information Security Policy, employees and associates have clear guidelines for handling information, helping protect both company data and the data of our customers and partners.
The foundation for further development
The implementation of ISO/IEC 27001 is another step towards further developing our organization and further strengthening the security of the information we work with in our projects, both those carried out on behalf of our clients and internal R&D projects.
The certificate confirms that Graylight Imaging meets international information security requirements and mitigates the risks associated with data processing. This is particularly important for sensitive medical and imaging data.
However, the implementation of the standard and obtaining the certificate are not one-off, closed projects for us, but rather a foundation and starting point for continuous improvement of our security system.