Building an ISO/IEC 27001-Ready ISMS for a Multi-Site Healthcare Organisation

The challenge

Clinisupplies required a formal, auditable security management system to strengthen assurance for customers, partners and compliance expectations, while reducing operational and cyber risk across a distributed environment.

Although many good security practices existed, they were not fully standardised, mapped, or consistently evidenced in a way that would stand up to audit. Ownership and accountability were spread across teams, and key policies and processes needed to be formalised to demonstrate repeatability, governance and continual improvement.

The solution

As the contracted MSP, we led the programme to establish a sustainable Information Security Management System (ISMS) aligned to ISO/IEC 27001.

We assessed current controls, gathered and organised evidence, and created clear ownership across the business so controls were maintained as part of normal operations. We standardised policies and procedures and introduced governance routines (review cycles, actions tracking and management oversight) so the ISMS functioned as a living system rather than a one-off documentation exercise.

Where gaps were identified, we implemented practical improvements that could be adopted across teams and sites without disrupting day-to-day service delivery.

The results

The client achieved a more structured, auditable approach to information security, with clearer accountability, consistent policies and a defined improvement roadmap.

This strengthened confidence internally and externally, supported compliance-driven opportunities, and reduced security and operational risk through a more repeatable, measurable security management approach.

Delivered through a structured six-month programme, the organisation moved from informal good practices to a governed, auditable ISMS aligned to ISO/IEC 27001:2022, covering the full operational footprint supporting healthcare services. We produced the core certification artefacts required for audit readiness, including the risk assessment methodology, risk register, Statement of Applicability (SoA), internal audit programme, management review pack and a corrective action process to demonstrate continual improvement. In parallel, we implemented practical control enhancements recognised by healthcare buyers: strengthened supplier assurance, tighter access control and review routines, formalised incident management, validated backup and business continuity testing, improved logging and monitoring, and a dependable asset inventory. This created a repeatable, measurable security management model that increased assurance, reduced operational risk and positioned the organisation strongly for certification and compliance-led growth.