

Following certification under the National Security Scheme (ENS) in July 2023, Bioidenti-Cell takes another step in cybersecurity by certifying its Information Security Management System to ISO 27001:2022.
Investing in Security is a commitment of Bioidenti to its clients and partners. Threats in this field will continue to be present and with an adaptability that will always outpace the company’s ability to evolve in security. Despite this, Bioidenti is prepared to minimize risks, reduce impacts, and anticipate detection so that the information managed and the services offered are aligned with the best practices in cybersecurity.
Security certification was not an end in itself but rather the primary goal was to transform its design and development processes for solutions and projects so that information security was part of each of its activities.
The keys to achieving this goal have been:
- Hiring the right consultancy that well understood this objective
- Starting with ENS certification and subsequently preparing the management system for ISO 27001:2022
- Evolving our management system prepared for ISO 9001:2015 to avoid creating a parallel documentation and standards model
- Continuing to invest in Bioidenti’s own management system.
The consultancy hired was Ingertec, and the involvement of the assigned consultant was key to boosting staff training and understanding the company’s starting point. From there, progress was made towards the process transformation goal supported by the proprietary management system, beyond achieving a one-time certification.
The service offered, with a schedule of sessions adjusted to its capacity, was a success. External audits were productive and carried out by personnel not involved in the transformation process, thus ensuring objectivity.
Starting with ENS certification allowed us to first invest in security assets, enhance Cloud strategies in some areas, and learn about SIEM tools for centralized control. Dependencies on office equipment have been eliminated, and control systems have been normalized by defining satisfaction thresholds for each of the diagnostic and control tools standardized, such as:
- SonarQube for static code control
- Zap for OWASP analysis
- Cloudflare for DDOS control
- Fortigate for firewall, VPN
- Fortianalyzer for monitoring and logs
- FortiEMS as a centralized equipment control endpoint
Once the information systems and services had the assets and processes certified under ENS, the company proceeded to evolve its management system to also certify it in information security.
Bioidenti has a proprietary Management System called BIG that allows the management of all processes. The functionalities that have been fundamental for ISO 27001:2022 certification have been:
- Document management
- Communication system
- Project management for the definition and tracking of:
- Objectives
- Risks and opportunities
- Training plans
- Development projects
- Improvement plans
- Corrective action plans
- Asset management and maintenance plans
- Review management
- Service and database monitoring system
- Incident management system
- Automatic monthly KPI generation with annual trend
Bioidenti is an SME with multifunctional profiles, and ISO standards do not always fit these models. Having a management system that integrates the standard into its quality system allows for a system that self-reinforces from the working dynamics of each profile.
Document management allows for change control, communication to employees, traceability of validations, and acknowledgments of receipt.
Project-based management of objectives, risks, opportunities… allows managing activities by resource and extracting follow-up, cost, and efficiency reports from them following an annualized definition.
Asset management offers the possibility of controlling each type of asset, software, hardware, human resources, keys… that may require any maintenance or review plan.
Two profiles have been established, one for daily control of maintenance plans on information systems and another for daily control of the management system. Based on this model, a system of continuous review and improvement is maintained both at a technological level and in management and documentation.
For each component required for any service, probes are placed that analyze its activity status every 5 minutes and in case of a failure, automatically log a technical report for its treatment and resolution in case of a punctual failure.
The incident management system used to resolve clients’ technical reports has been expanded to cover our own systems, allowing the tracking of all company activities in terms of information security.
Monthly, KPIs are automatically generated, providing a dashboard on what is happening in each of the processes that support the company’s activities.
Finally, to have supervised control, a screen is available in a visible part of Bioidenti’s office, where those indicators showing a deviation are monitored, and action is required, both in business management and security or customer service.
The investment made by the company in these two years exceeds €300,000. This investment can be broken down into the development and evolution of the BIG management system, the purchase and subscriptions of resources and services related to information security, the expansion of Cloud services, staff training, and improvements in processes related to the development of solutions and projects to align them with new cybersecurity requirements.
This journey is not over, and Bioidenti will continue to invest to adapt its systems and processes to emerging threats and as a result of its integrated review systems. By 2025, Bioidenti aims and commits to achieving high-level ENS certification and promoting a culture of cybersecurity to all its collaborators.
For Bioidenti, the experience has been a very important but necessary effort. From the current position and looking back, the starting point of the company required this push more than they were aware of. One might think that a technology company like Bioidenti has enough experience and capabilities to prevent cybersecurity risks, but the feeling today is that vulnerabilities can be more significant than expected. One of the results of this transformation process the company has gone through is greater awareness of risks while at the same time being better prepared to face them.
Recent Comments