Our clients place trust in us to keep their information safe.  

So, we committed to enhancing our information security practices by undertaking an ISO 27001 accreditation.  

Find out how we passed our audit and make information security management part of our everyday business.  


In January 2024, we shared our three-step approach to quality management success following our ISO 9001 accreditation. The steps are: 

  1. Develop a quality strategy 
  2. Create a quality culture 
  3. Write a quality handbook 

Now, those three steps may appear pretty simple – but they’re essential to laying strong quality management foundations across our business.  

We applied them again when we embarked on the ISO 27001 information security management accreditation.  


ISO 27001 accreditation 

ISO 27001 is the standard for information security management. It focuses on building a robust framework to manage and protect information, helping organisations to safeguard their information assets, mitigate risks and embed rigorous practices to build information security resilience.  

The standard was updated in 2022 to reflect the latest practices and challenges of information security, including cyberattacks and privacy protection. Ethical Healthcare is one of the first organisations to be accredited in the revised ISO 27001:2022 international standard. 


Managing and protecting our information  

We worked with Anne Wright, an ISO specialist from AWTBS, to prepare for our ISO 27001 audit and she believed our commitment to information security standards was instrumental in achieving the accreditation: “Ethical Healthcare takes information security seriously. Its team has clear roles and responsibilities, and internal checks and risk planning are part of everyday life in the business.” 

Some of the good practices highlighted in our ISO 27001 audit were:  

  • Network access with least privilege principles and regular reviews.  
  • Having a thorough understanding of our assets via a robust register of what data is stored where.  
  • Applying appropriate technical controls to supplement our policies. 
  • Embedding a culture of openness so that information security incidents are reported and managed promptly. 
  • Creating an information security handbook to make dozens of lengthy policies into a user-friendly guide for everyone in the organisation.  


Protecting our clients’ information 

Our clients trust us to handle their confidential data and business critical information with care. As a business founded on transparency and honesty, we take that responsibility very seriously.  

We implemented robust access controls so only the people who need to handle data get access to it. We also introduced a data retention schedule that ensures we only hold data for as long as it is appropriate based on the classification of information at hand.  

In line with the updated ISO 27001:2022 standard, we developed a data masking protocol so that personal identifying data (PID) is anonymised or not handled at all if it’s not essential.  


Testing our preparedness for disruption 

ISO 27001:2022 has an increased focus on continuity planning so our preparedness for an incident that could disrupt our business operations was assessed.  

As a business that works remotely, with staff and associates based across the UK and internationally, we have invested a lot of time in continuity planning so we can respond quickly to incidents that affect individual members of our team or the entire business.  

Prior to our ISO 27001 audit, we tested our business continuity and disaster recovery policy to assess our response to one of our major systems going down. The lessons learned through that scenario have been applied to our policies – which we’ll test again regularly.  

We have also rolled out awareness training to all our staff, so they understand our information security risks, follow our processes for managing them and feel confident and supported in reporting any potential issues.  


Creating an information security culture 

We don’t do our homework the night before it’s due.  

We commit the time to develop and implement robust policies, procedures and practices to manage information security effectively.  

That commitment is shared by everyone in our business – and it gives us the confidence to know we’re delivering the best quality services to our clients every day.  


Get in touch 

If you’d like to know more about our quality management and information security approach, contact Judy Smith at judy@ethicalhealthcare.org.uk