compliance
Security Policy
CRO
TAG 2
Tag 3

Introduction

This policy establishes the framework for managing information security within IOMED to ensure the confidentiality, integrity, and availability of information assets. It aligns with the requirements of ISO/IEC 27001, ISO/IEC 27701, the General Data Protection Regulation (GDPR), and the Spanish Data Protection Law (LPD), supporting IOMED’s compliance with applicable legal and regulatory obligations.

Scope

This policy applies to all IOMED personnel, including employees, suppliers, data holders (Data Partners), data users, and any third parties with access to IOMED’s information systems, data, and services. It covers all forms of information, physical and digital, processed within or outside IOMED systems, regardless of the storage medium or transmission method.

This policy applies within the following scope:

"IOMED operates a Data Space Platform (DSP), an AI-powered health data platform that enables the secure, standardised, and compliant secondary use of clinical data. It acts as an enabler, helping healthcare organisations make their data usable for research and innovation, and as a mediation infrastructure, connecting data holders and users to collaborate on research across the healthcare ecosystem. The scope covers all activities related to its design, development, deployment, operation, management, and support, including infrastructure, software, data workflows, and the processes that ensure data protection, information security, and regulatory compliance."

Responsibilities

Task Owner Approver
- Approve and endorse the policy.
- Ensure resources are available for implementation.
- Monitor policy effectiveness. 		Security Committee CEO
- Develop and maintain the policy.
- Manage risk assessments and controls.
- Train staff on security awareness. 		Information Security Manager -
- Implement technical security measures.
- Ensure data confidentiality, integrity, and availability. 		Security and Cryptography Specialist -
- Comply with security policies and procedures.
- Report security incidents promptly.
- Adhere to IOMED’s security policies.
- Implement adequate security measures for their services/products. 		Employees,
Data Holders,
Data Users,
Suppliers 		-
- Creation, maintenance, and updates of the document to ensure alignment with organisational standards. Compliance Manager -

Description

  • This policy focuses on the management and protection of information security within IOMED, ensuring the confidentiality, integrity, availability, authenticity, and traceability of information assets.To this end, the following commitments are adopted, which support the Strategic Direction of the organisation:
    • Commitment to Security: IOMED is committed to protecting its information assets against unauthorised access, disclosure, modification, or destruction, while complying with applicable regulations.
    • Risk Management: Information security risks will be identified, assessed, and mitigated through the implementation of controls defined in the Risk and Opportunity Management SOP. Risks related to personal data processing are managed separately in the Personal Data Protection (Policy).
    • Access Control: Access to information assets will be granted on a need-to-know basis and periodically reviewed. Unauthorised access will be strictly prohibited. The use of personal devices ( Bring Your Own Device - BYOD) for accessing or processing IOMED’s information systems or data is expressly prohibited to reduce exposure to unmonitored and uncontrolled environments. All work-related activities must be conducted using approved and managed corporate assets.
    • Incident Management: Security incidents will be reported, documented, and addressed promptly in line with the Security Incident Management (Procedure). Personal data breaches are handled according to the Data Breach Management (Procedure) described in the Personal Data Protection (Policy).
    • Employee Awareness: All personnel will receive regular training to ensure awareness of their responsibilities related to information security.
    • Continuous Improvement: The IMS will be regularly reviewed and updated to reflect changes in technology, regulations, and the threat landscape.
    • Information Security Objectives: This policy serves as a framework for setting SMART information security objectives as stated in Company Goals (Master).
    Non-compliance with this policy may lead to disciplinary actions, in accordance with the applicable Disciplinary Code.

Effective Date

This Information Security Policy shall come into effect immediately upon approval by top management and will remain in effect until revised or replaced. It will be made available to IOMED members and provided to relevant external interested parties as appropriate and necessary, either upon request or as part of contractual agreements.

Keep Updated!
Join our newsletter to receive updates and news about the healthcare data sector.
IOMED Medical Solutions, S.L. will process your data to send you its newsletter, based on your consent. Data may be shared with our IT, marketing, and advertising service providers. International data transfers will occur. You may withdraw your consent by clicking the unsubscribe link included in each newsletter. You have the right to access, rectify, delete, restrict, or request the portability of your data by sending an email to dpo@iomed.health or to the postal address indicated in the additional information available at: https://www.iomed.health/policies/privacy-policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About
R + D + I
EHDS
Life at IOMED
Peer-reviewed Scientific Publications
Data Space Platform
Data Space Enablement
Data Space Mediation
Our Technology
Explore DSP Mediation Features
For Whom
Healthcare Organizations
Contract Research Organizations
Life Science Companies
Use Cases
What´s New
News
Blog
Contact Us
LINKEDIN
X (TWITTER)
YOUTUBE
Copyright © 2024 IOMED
Compliance
Privacy Policy
Cookie Policy
Legal Notice
Quality Policy
DPO
Security Policy