Assessing Information Security Risks in Clinical Laboratory in Accordance With ISO/IEC 27001 Standard

Abstract

Purpose This study aims to assess the information security risks that still arise in a clinical laboratory accredited to ISO 15189 and certified to ISO 9001, as a preparation for digital-based services. Design/methodology/approach Using the ISO/IEC 27001 approach which is embedded in the qualitative method in this study, risk assessment is carried out by identification, analysis and evaluation through interviews with process owners at clinical laboratories in Jakarta. Findings As a result, it was found that the Busdev&IT Department had the most information security risks (35 risks out of 384 total risks), which required further treatment based on the established risk appetite. Therefore, vigilance on the use of information systems in the laboratory needs to be increased in terms of information security. Research limitations/implications The research object was in the preparation stage for ISO 27001 certification, but the risk assessment is not only to comply with requirements, that also to have effective information security control among their process to ensure the sensitive information is secured. Originality/value This study answers the need for establishment of information security risk control in clinical laboratory.