Cybersecurity Renewal in a Healthcare-Adjacent SME through ISO 27001-Aligned Practices

Abstract

This thesis investigates the cybersecurity renewal of a Finnish SME subcontractor providing digital room reservation systems for use in healthcare facilities. Despite not processing patient data directly, the company’s systems operated in regulated environments, prompting heightened expectations from clients and regulators alike. Motivated by both internal assessments and external requirements, particularly the demand to align eventually with ISO/IEC 27001, the company undertook a comprehensive renewal process of its infrastructure and security. Through qualitative case study methodology, the thesis investigates and demonstrates the integration of international standards, national tools, and regulatory requirements into development workflows, infrastructure management, and organizational policy. It evaluates the outcomes of the renewal with a focus on technical controls, risk reduction, and alignment with maturity frameworks, while also addressing challenges such as resource constraints and the absence of dedicated security personnel. The findings contribute a transferable model for other SMEs navigating compliance and cybersecurity demands in regulated environments.