TÜV TRUST IT GmbH, part of the TÜV AUSTRIA Group, developed the implementation strategy for an ISMS based on ISO/IEC 27001:2013 and supported its establishment.
To meet the legal requirements for manufacturers of medical products, Roche Diagnostics, with the support of TÜV TRUST IT, introduced a certifiable Information Security Management System (ISMS) according to ISO/IEC 27001:2013.
The Diagnostics division of F. Hoffmann-La Roche AG, the world’s third-largest pharmaceutical company, supplies healthcare institutions with products for prevention, diagnosis, and therapy. The National Health Service (NHS) in England imposes strict security requirements on companies handling patient data. These requirements also apply to the UK branch of Roche Diagnostics, which must meet them to continue operating in support and sales in the UK.
Faced with this challenge, the global Roche Diagnostics Customer Support organization in Switzerland commissioned TÜV TRUST IT to identify an information security strategy that complies with the legal requirements of the English health authority. TÜV TRUST IT consultants first determined which organizational units within the company, both domestically and internationally, were affected by the NHS requirements. A parallel analysis of the specific action needs revealed that the NHS requirements largely align with the international ISO/IEC 27001:2013 standard. As a result, the decision was made to establish and certify a global ISMS based on ISO/IEC 27001:2013.
“Thanks to TÜV TRUST IT, we quickly identified the right strategy for implementation. It was especially important to realize that not only the subsidiary had to meet the NHS requirements, but also any third party to whom the UK subsidiary transmits patient data,” explains Hans Georg Seiberlich, Head of Global Customer Support Quality at Roche Diagnostics. “This included suppliers as well as other Roche Diagnostics entities in various countries.”
To implement the project, TÜV TRUST IT chose the ISMS development plan methodology with a step-by-step rollout for each business unit. To determine the specific needs, simulated audits (mock audits) were conducted to assess compliance with ISO/IEC 27001:2013. These assessments identified missing requirements and formed the basis for a development plan for the ISMS. The focus was not only on technical implementation but also on cross-functional and organizational aspects. No processes were created specifically for the ISMS; instead, existing workflows were adapted or extended.
Building acceptance for information security was also a key part of the project. This included securing top management commitment and conducting intensive change management. The seamless integration of risk and quality management into Roche Global’s system ensured that processes are sustainably embedded and no inefficient workarounds arise. Rob Chapman, Project Manager at Roche Diagnostics Global Customer Support, is pleased with the outcome: “The ISMS and its associated information security requirements are now an integral part of our corporate culture.”
With the implementation of the ISMS and its certification according to ISO/IEC 27001:2013 by an independent and accredited certification body, the sites in Germany, Switzerland, and England are now part of the global ISMS. “The pragmatic and competent approach of TÜV TRUST IT as a consulting partner in such a complex project was a key factor in its success,” concludes Seiberlich.