Digital Health Applications (DiGA) are ‘digital assistants’ for patients. They were developed to detect diseases and treat them accordingly, and support a more self-determined lifestyle. DiGA are CE-marked medical devices.
DIN EN ISO 13485 is the standard that describes a quality management system for medical devices (QMS). An established QMS is a prerequisite for a conformity assessment procedure that makes a DiGA a reimbursable medical device.
The establishment of a management system in accordance with ISO/IEC 27001 enables an organisation to effectively protect data and information belonging to customers and other parties, to safeguard their rights and interests, and thus to comply with legal requirements. With a certified ISMS, the organisation demonstrates that it protects the confidentiality, integrity and availability of its assets.
ISO 27799:2016 contains additions to ISO/IEC 27001 that must be taken into account when introducing an ISMS in the healthcare sector. It is therefore aimed at users who handle health data and takes into account the special requirements and environmental conditions in the medical field.
This standard presents many detailed proposals for extending the general protection measures from ISO/IEC 27001 and also lists supplementary measures.
For whom is this specific combination of standards relevant?
The combination presented here is relevant for manufacturers of DiGA and their contract developers (software) and is mandatory under the DiGAV.
What are the advantages of combining DIN EN ISO 13485 and ISO/IEC 27001?
The Digital Care Act (DVG) amended Social Security Code V to make a new group of medical devices, known as ‘digital health applications,’ eligible for reimbursement. The ‘Regulation on the Procedure and Requirements for Assessing the Reimbursability of Digital Health Applications in Statutory Health Insurance’ (DiGAV) specified the requirements for DiGA. Manufacturers of DiGA must provide the Federal Institute for Drugs and Medical Devices (BfArM) with proof of certification for
information security management systems: ISO/IEC 27001 and
In addition, according to Section 139e SGB V, certificates are required for
data security in accordance with BSI specifications (since 1 January 2023) and
data protection (from 1 April 2023)
No final procedures have yet been specified for data security and data protection certification. We will provide further updates here.
Take advantage of joint certification by GUTcert and Berlin Cert: with a combined certification process, you save additional effort and are accompanied by your personal contact person throughout the entire process.
GUTcert was a competent, fair and reliable partner at all times during the certification of our ISMS according to ISO 27001 and accompanied us with valuable tips and recommendations on the way from the pre-audit through Stage 1 to the successful certification audit.
Mario Konietzny, Stadtwerke Lutherstadt Eisleben GmbH
[Translated with DeepL]
The audit process with GUTcerts was very smooth, and the professionality of the auditor was outstanding. Our Auditor was very helpful with his insights and comments on our ISMS and I would like to forward to you our management’s appreciation for his excellent work.
Peter Mansour, IDEALworks GmbH
[Translated with DeepL]
GUTcert guided us through the certification process in a swift and focussed manner. They always responded quickly and professionally to enquiries. As a result, our initial certification also ran smoothly.
Jan Hotzel, Vision2B GmbH
[Translated with DeepL]
The prerequisite for certification is an established management system in accordance with DIN EN ISO 13485 and DIN EN ISO/IEC 27001, which also complies with the additions in DIN EN ISO 27799. An internal audit and a management review must be available by the time of the audit (stage 2) at the latest. It is advisable to have already carried out an internal audit and management review when submitting the application so that the new system has already undergone an internal review (possibly by an external auditor) before the application is submitted.
There are no items matching your search.
What is the process for DiGA certification?
The total duration of a certification process is at least six months from the submission of the application to the issuance of the certificate.
There is no separate certification for DIN EN ISO 27799; the specific requirements are also checked as part of ISO/IEC 27001.
General information about the GUTcert certification process can be found here.
Please do not hesitate to contact us for a non-binding quote or if you have any further questions about costs and expenses.
