About Modulight
Modulight Corporation is a biomedical laser company that designs and manufactures products for oncology, ophthalmology, and genetics. The company also provides solutions for selected high value-add applications including quantum computing and digital press. The company’s products include medical devices, subsystems, software, cloud services and specialized semiconductors. Modulight’s products are used worldwide by many Fortune 500 companies, pharmaceutical companies, and well-known cancer centers and universities. Modulight was founded in 2000 and is headquartered in Tampere, Finland.
Background
Modulight has a strong quality and compliance culture, and the company had solid cybersecurity practices even before the ISO 27001 project. To support the sales and marketing of their cloud-connected devices, Modulight wanted to get an ISO 27001 certificate for their cybersecurity management system. With a certified cybersecurity management system, Modulight expected it to be faster to convince the increasingly cyber-aware customers about Modulight’s high level of cybersecurity management. The ISO 27001 project was kicked off with an ambitious target schedule of five months.
The role of Cyberismo cybersecurity advisors was to support Modulight experts in developing and improving the cybersecurity management system and to provide cybersecurity expertise to ensure that the company would be ready for certification in the given target schedule.
Doing it yourself
The size of the project to implement an ISO 27001 based information security management system depends on various factors: the starting point, the size of the company, the number of locations, and in general the project scope. A potential shortcut is to hire a great deal of external help or a ready-made documentation package, but there is a big risk that these approaches could lead to an information security management system that works on paper but does not work in practice.
Modulight did not want to take this risk – they wanted to implement the main parts themselves to integrate the improved information security management system into the existing quality management system and to ensure that documented practises fit well into the existing organisational culture. The goal was to improve the practical level of cybersecurity, rather than just the formal processes.
Critical success factors
In any project, there are at least two critical success factors: having full management support and effective project management. When it comes to the management support, it is not enough that the management wants to have a certificate – they also must ensure that the project has sufficient resources, and they must make decisions in a timely manner when needed. Both these factors worked extremely well at Modulight: an excellent project manager was nominated, and she kept the project on track by getting the needed management decisions and project resources.
A successful project team
That leads us to the next success factor – a good project team – as even the most excellent project manager will not be able to do everything alone. So, what makes a good project team for an ISO 27001 project?
First, there are quite a few documents to be written, so having a person who understands current management systems and can extend them with what is needed to document an information security management system is essential. An ISO 27001 subject matter expert can help in prioritisation and ensuring the needed requirements are built into the processes. Only internal persons, however, can document the processes in such a way that they integrate tightly into the existing management system and have a fighting chance of working in practice. It also helps if several internal persons with different backgrounds can review the processes, because end users might have quite a different view from technical security experts.
Risks and mitigating controls
Obviously, it is important to get the processes right in an ISO 27001 certification project. But on a practical level and especially in a hi-tech product company, we also need to work hard on technical cybersecurity controls. This brings us to our next success factor: understanding existing technologies, related risks and needed controls.
Again, an external consultant or a penetration tester can give pointers and help the project team focus on the essentials, but it is crucial to have an internal person with both the technical understanding and a passion to improve security. In this way, security can be really integrated to the whole development lifecycle from development tools, design and implementation to product verification, deployment infrastructure and operations.
Summary of success factors
To summarise, the key success factors in an ISO 27001 project are:
- Full management support and sufficient resources
- Effective project manager
- Solid project team with sufficient resource allocation, understanding of the existing organisation and processes, cybersecurity subject matter expertise, and capabilities to document and implement the needed controls.
To ensure that the relevant knowledge stays within the organisation and the information security management system continues to function also in the future, most of this should be done internally and by people who will continue to work for the company even after the certification project ends. For example, it makes a lot of sense to nominate a project manager who will continue to be responsible for ISO 27001 compliance even after the first certification.
Testimonial
We developed an information security management system to complement our existing ISO 13485 medical device -grade quality management system. I am very proud of the project team who achieved this goal in a very ambitious project schedule.
I am also extremely glad we decided to work with Cyberismo in this project. Thanks to their expertise, we were able to focus on the right things at the right time. We had such a tight schedule that it was crucial to avoid all unnecessary work. ISO 27001 has a wide scope, and the topics range from fundamentals such as asset and risk identification to technical topics such as cybersecurity monitoring, secure development, and hardening. Furthermore, the Cyberismo consultants were able to review and analyse the new medical cybersecurity requirements from FDA and EU, and to draft a clear way forward to improve our ISMS past the requirements of the ISO 27001.
Cyberismo advisors also encouraged us to implement as much of the solution ourselves as possible. We learned a lot and we were truly able to make a huge difference in our own capabilities to manage our cybersecurity development.
Juha Lemmetti,
CISO, Modulight