19.05.2026 • Internal

More security through ISO

Certification Team - VISUS

Thanks to our recent certification according to ISO/IEC 27001, we can substantiate a high level of information security - and advance our cloud strategy on a solid regulatory foundation.

The idea of having our own processes regularly reviewed by independent experts has a long tradition in our company. When Dr. Axel Schreiber joined us in December 2011, we already had audits and certifications in place. As Division Manager Process and Agile Services, he and his team were also responsible for the most recent certification according to ISO/IEC 27001 . The team began work at the end of 2023 - and with the certification issued in mid-March, we have now achieved yet another milestone.

From Clean Desk to Cyber Security

ISO/IEC 27001 is commonly associated with the major topic Cyber Security. In fact it views information security in a broader context," explains Axel Schreiber. "The general idea is that information should be available when one needs it, that it should be accurate, and that it should only be accessible to those persons authorized to view it".

Based on the three criteria - availability, integrity, confidentiality - Axel Schreiber, Quality Manager Ms Arngard Libera and Dr. Andreas Barbian, Department Head Development, DevOps & Infrastructure initially identified approximately 80 assets within the company. From these, they identified more than 130 risks ranging from a fire in the server room to a hacker attack, to the theft of physical documents from a desk. A detailed list of actions was developed based on the identified potential hazards. This defines several hundred specific provisions, such as those concerning the revision of access rights, the reorganization of files, or the implementation of a "Clean Desk Policy". There was not that much that needed to be done in terms of product cybersecurity as the necessary procedures and tests had already been established for some time during development.

The positive effect: "We had already considerably raised our colleagues' awareness of information security issues during the process." Training and Town Halls, a revised information security guideline, office inspections, and numerous informal discussions - all of these have ensured that security awareness is more firmly embedded across the entire staff than ever before.

External audits as a vehicle for improvement

The implementation of ISO/IEC 27001 is thus the latest example of how audits and certifications have never been solely market-driven for us, but have always served as a vehicle for improving quality. This was already the case with the ISO 9001 certification regarding quality management systems (QMS): Since we were already certified to the more stringent ISO 13485 standard which sets the benchmark for QMS in the medical device industry, we could have foregone the ISO 9001. However, we took a conscious decision to pursue the 9001 certification so that the QMS is also monitored regularly and independently for non-medical devices by external auditors. This had already been decided by the company founders Jörg Holstein and Klaus Kleber as they "simply had an interest in doing things well and to keep improving over time", says Axel Schreiber.

This attitude remains unchanged, and the reasons behind the recent certification are therefore also "multifactorial". For one thing, we had already prioritized the topic of cyber security for some time, especially in view of the growing importance of cloud services. This became a reality when we won a tender with the commitment to meet the standard. What was not known at the time: Shortly thereafter, the legislature introduced a new legal framework for cloud computing services in the healthcare sector. Since July 2024, the Cloud Computing Compliance Criteria Catalogue (in short C5) developed by the Federal Office for Information Security (BSI), is binding. "And the first of the over 100 required criteria demands the implementation of ISO 27001.

With our recent ISO certification, we managed to kill several birds with one stone: We have strengthened our position on the market, secured regulatory compliance for our cloud strategy - and, most importantly, improved our processes and, ultimately, our products. For Axel Schreiber, successes like these always provide a sense of reassurance: "After all, it is our moral duty to protect our customers' data. After all, these are patients' data."