compliance
Security Policy
CRO
TAG 2
Tag 3

Introduction

This policy establishes the framework for managing information security within IOMED to ensure the confidentiality, integrity, and availability of information assets. It aligns with the requirements of ISO/IEC 27001, ISO/IEC 27701, the General Data Protection Regulation (GDPR), and the Spanish Data Protection Law (LPD), supporting IOMED’s compliance with applicable legal and regulatory obligations.

Scope

This policy applies to all IOMED personnel, including employees, suppliers, data holders (Data Partners), data users, and any third parties with access to IOMED’s information systems, data, and services. It covers all forms of information, physical and digital, processed within or outside IOMED systems, regardless of the storage medium or transmission method. This policy applies within the following scope:
“Information services supporting the design, development, marketing, promotion, administration, and management of technological platforms for the healthcare and health sector.”

Responsibilities

Task Owner Approver
Approve and endorse the policy.
Ensure resources are available for implementation.
Monitor policy effectiveness. 		Security Committee CEO
Develop and maintain the policy.
Manage risk assessments and controls.
Train staff on security awareness. 		Information Security Manager -
Implement technical security measures.
Ensure data confidentiality, integrity, and availability. 		Security and Cryptography Specialist -
Comply with security policies and procedures.
Report security incidents promptly.
Adhere to IOMED’s security policies.
Implement adequate security measures for their services/products. 		Employees,
Data Holders
Data Users
Suppliers 		-
Creation, maintenance, and updates of the document to ensure alignment with organisational standards Compliance Manager -

Description

  • This policy integrates specific considerations from ISO/IEC 27701 and ISO/IEC 27701 regarding the management of personally identifiable information (PII). It outlines the responsibilities of IOMED as a data controller and/or processor, and reflects our obligations towards data subjects in terms of transparency, purpose limitation, data minimisation, and protection of privacy rights.
  • To this end, the following commitments are adopted, which support the Strategic Direction of the organisation:
    • Commitment to Security: IOMED is committed to protecting its information assets against unauthorised access, disclosure, modification, or destruction while complying with applicable regulations, including GDPR and LPD.
    • Risk Management: Information security risks will be identified, assessed, and mitigated through the implementation of controls defined in "Risk and Opportunity Management" SOP. Specific attention will be given to risks related to personal data processing, in compliance with GDPR and LPD.
    • Data ProtectionPersonal data will be processed lawfully, fairly, and transparently, following the principles of data minimisation, accuracy, and purpose limitation. Adequate technical and company measures will be implemented to ensure the security of personal data, as required by GDPR and LPD.
    • Access Control: Access to information assets will be granted on a need-to-know basis and periodically reviewed. Unauthorised access will be strictly prohibited.The use of personal devices (Bring Your Own Device - BYOD) for accessing or processing IOMED’s information systems or data is expressly prohibited, in order to reduce exposure to unmonitored and uncontrolled environments. All work-related activities must be conducted using approved and managed corporate assets.
    • Incident Management: Security incidents, including data breaches, will be reported, documented, and addressed promptly in line with the Security Incident Management (Procedure) and Data Breach Management (Procedure); for personal data breaches, notification will occur within the required timelines under GDPR and LPD.
    • Employee Awareness: All personnel will receive regular training to ensure awareness of their responsibilities related to information security and data protection.
    • Continuous Improvement: The IMS will be regularly reviewed and updated to reflect changes in technology, regulations, and the threat landscape.
    • Information Security Objectives: This policy serves as a framework for setting SMART information security objectives as stated in Company Goals (Master).
    • Non-compliance with this policy may lead to disciplinary actions, in accordance with the applicable Disciplinary Code.

Effective Date

This Information Security Policy shall come into effect immediately upon approval by top management and will remain in effect until revised or replaced. It will be made available to IOMED members and provided to relevant external interested parties as appropriate and necessary, either upon request or as part of contractual agreements.

Keep Updated!
Join our newsletter to receive updates and news about the healthcare data sector.
IOMED Medical Solutions, S.L. will process your data to send you its newsletter, based on your consent.
Data may be shared with our IT, marketing, and advertising service providers. International data transfers will occur.
You may withdraw your consent by clicking the unsubscribe link included in each newsletter.
You have the right to access, rectify, delete, restrict, or request the portability of your data by sending an email to dpo@iomed.health or to the postal address indicated in the additional information available at: https://www.iomed.health/policies/privacy-policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About
R + D + I
EHDS
Life at IOMED
Peer-reviewed Scientific Publications
Data Space Platform
Data Space Enablement
Data Space Mediation
Our Technology
Explore DSP Mediation Features
For Whom
Healthcare Organizations
Contract Research Organizations
Life Science Companies
Use Cases
What´s New
News
Blog
Contact Us
LINKEDIN
X (TWITTER)
YOUTUBE
Copyright © 2024 IOMED
Compliance
Privacy Policy
Cookies
Terms & Conditions
Quality Policy
DPO
Security Policy