Standardisierte Daten-Downloads aus QR-Codes einfach importieren mit dem neuen QR-Code-Importer. Discover more

Information Security Guiding Principle

1. Purpose

Telepaxx Medical Data GmbH is dedicated to safeguarding the information assets of both its customers and its organization. Telepaxx addresses the challenges of data protection by establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). This system is designed to ensure the highest standards of confidentiality, availability, integrity, and authenticity. Aligned with ISO/IEC 27001:2022 and BSI C5:2020 (Cloud Computing Compliance Controls Catalog), the Guiding Principles commitment emphasizes the importance, Telepaxx places on securing its customers‘ valuable data and maintaining their trust.

This document describes the principles, policies and processes that form the foundation of the ISMS, guiding the efforts to protect the information assets of Telepaxx´ customers and the organization.

2. Scope

The information security management system comprises all activities of Telepaxx Medical Data GmbH. A key focus of the ISMS lies on securely delivering the customer services

  • e-pacs (with C3 Storage Center), and
  • TMD Cloud Archive (including the View module)

as described in the corresponding system descriptions and all information, systems, networks, services, organizational units, locations and procedures, that are needed for the operation and development of those services.

Regulations of this guiding principle are obligatory for all employees, contractors, and third parties who interact with the scope of the ISMS.

Applicable clauses of ISO/IEC 27001:2022 Annex A and of BSI C5:2020 are documented in the Statement of Applicability.

3. Statement of Commitment and Security Objectives

In the era of changing technology and new sophisticated ways in which systems are getting compromised, information security has become a critical success factor for any IT business. This holds especially true for Telepaxx, as a company that processes sensible, medical data for its customers.

Telepaxx’s business objective is to become the leading partner for hospitals and private practices for digital image data management. The company aims to support its customers in establishing data-based technologies and services relating to medical image data.

For the given scope Telepaxx is establishing, implementing, maintaining and continually improving an ISMS, including the processes needed and their interactions, in accordance with ISO/IEC 27001:2022 and in accordance with BSI C5:2020.

The Top Management is providing adequate resource and expertise to ensure that the ISMS is continuously improving to meet the information security requirements of the customers and the fast-paced company.

Telepaxx is committed to remaining compliant with newly identified, applicable, and reasonable security requirements as recommended by customers, employees, and other stakeholders.

Telepaxx is aware of the very sensible information assets, mostly medical data, that is processed on behalf of its customers. The protection of these information assets, especially the protection of confidentiality and integrity of the data, is not only crucial for the customers of Telepaxx, but also for Telepaxx itself.

As part of our commitment to maintaining the highest standards of information security, Telepaxx is dedicated to the following information security objectives:

  1. Protecting Information Assets:

    • Confidentiality: Ensuring that sensitive information is accessible only to those authorized to have access.

    • Integrity: Safeguarding the accuracy and completeness of information and processing methods.

    • Availability: Ensuring that authorized users have access to information and associated assets when required.

    • Authenticity: Ensuring that information is genuine and from a trusted source.

  2. Compliance: Adhering to relevant laws, regulations, and contractual obligations, including ISO/IEC 27001:2022 and BSI C5 requirements.

  3. Risk Management: Identifying, assessing, and managing information security risks systematically and proactively.

  4. Continual Improvement: Regularly reviewing and improving our information security practices to address emerging threats and vulnerabilities.

4. Roles and Responsibilities

Telepaxx implemented the following roles and responsibilities in the context of its ISMS.

4.1 Top Management

  • Approves and supports the ISMS.
  • Provides the necessary resources for the effective establishment, implementation, maintenance and continual improvement of the ISMS.
  • Ensures that information security objectives align with the strategic goals of Telepaxx.
  • Appoints the Chief Information Security Officer (CISO) and the Data Privacy Protection Officer (DPO) through formal letters of appointment, granting them the necessary authority to fulfill their respective responsibilities.

4.2 Chief Information Security Officer (CISO)

The CISO

  • Leads the establishment, implementation, maintenance and continual improvement of the ISMS, ensuring its alignment with ISO/IEC 27001:2022, BSI C5:2020, and other relevant legal requirements.
  • Monitors the ISMS’s performance and provides quarterly reports to the Top Management.

4.3 Data Privacy Protection Officer (DPO)

The DPO

  • ensures that the organization’s ISMS complies with applicable data privacy protection laws, such as the GDPR, and checks the alignment of corresponding requirements with the ISO/IEC 27001:2022 standard.
  • Conducts and oversees Data Privacy Protection Impact Assessments to evaluate the privacy risks associated with processing personal data. Provides recommendations to mitigate identified risks and ensures that appropriate safeguards are implemented.
  • Develops, implements, maintains and continually improves comprehensive data privacy policies and processes. Ensures that these policies and processes align with the ISO/IEC 27001:2022 standard and BSI C5 requirements and that they are effectively communicated and enforced across the organization.
  • Is responsible for raising awareness and oversees the training on data privacy protection within the organization, ensuring that employees understand their responsibilities under both data privacy protection laws and the ISMS.

4.4 Employees, Contractors and Third Parties

  • Adhere to the information security policies and procedures.
  • Report any discovered information security event or vulnerability promptly.
  • Participate in information security training and awareness programs depending on their role and tasks.

5. Essential Policies, Process Descriptions, and Compliance

To support the ISMS, the Top Management has established the following essential policies and process descriptions. The CISO is authorized to introduce additional policies and processes as needed for the ISMS.

  1. Information Security Guiding Principle: Outlines the overall approach and commitment to information security.

  2. Information Security Manual: Contains details regarding the structure and organization of the ISMS as well as the detailed information security strategy. The manual provides comprehensive guidance for Telepaxx employees on the implementation, management, review and continual improvement of the ISMS, including further details on roles and responsibilities, processes, and procedures.

  3. Risk Management Process: Describes the process for identifying, assessing, and treating information security risks.

  4. Business Continuity Management Policy: Ensures the continuation of critical business processes in the event of a disruption.

The Data Privacy Protection Policy, ensuring compliance with data protection laws and regulations such as GDPR, is the responsibility of the Data Privacy Protection Officer (DPO).

All employees, contractors, and third parties who interact with the scope of the ISMS must adhere to the policies, process descriptions and the Guiding Principle of the ISMS.

Non-compliance to the policies, process descriptions and the Guiding Principle of the ISMS will be addressed through the established disciplinary process in case of employees and through contractual enforcement measures and potential termination of agreements in case of contractors or third parties, to ensure that information security is maintained at all times.

Newly introduced or changed policies and processes shall consider interoperability with existing Telepaxx policies and processes.

6. ISMS Structure and Strategy

The integrated information security strategy at Telepaxx is designed to comprehensively safeguard both customer and organizational data. This strategy incorporates risk-based assessments, multi-layered defense mechanisms, robust disaster recovery plans, regular security audits, and strict compliance with legal and regulatory standards such as ISO/IEC 27001:2022 and BSI C5:2020. These efforts are structured within an ISMS that follows the Plan-Do-Check-Act (PDCA) cycle. In the Plan phase, Telepaxx identifies risks, sets security objectives, and develops mitigation plans. The Do phase focuses on implementing these plans through dedicated resources and integrating them into daily operations. During the Check phase, Telepaxx regularly evaluates the effectiveness of the ISMS through audits and reviews, and in the Act phase, the continuous improvement is driven by addressing non-conformities and updating existing processes. This integrated, dynamic approach ensures the highest level of data confidentiality, availability, integrity, and authenticity, reinforcing the trust of customers and partners.

Details regarding the structure and organization of the ISMS, as well as the detailed information security strategy, is documented in the Information Security Manual for internal use only.

7. Implementation, Review and Communication

The ISMS will be implemented in accordance with the ISO/IEC 27001:2022 and BSI C5 standards, following a structured and systematic approach. The effectiveness of the ISMS will be regularly reviewed through internal audits, management reviews, and continuous monitoring.

The Top Management will annually review the Information Security Guiding Principle and update them as necessary to ensure their continued relevance and effectiveness in achieving the information security objectives.

This Guiding Principle is communicated to internal and external employees by publishing it in the Telepaxx-Intranet and acknowledgement during the onboarding process. In addition, it is communicated to customers as part of the system description and is available to interested parties, if needed and appropriate. Changes to the Guiding Principle will be communicated accordingly.

8. Approval

This Information Security Management System Guiding Principle are approved by the Top Management of Telepaxx Medical Data GmbH.

Revision 4.0