Certifications

ISO/IEC 27001:2022

Doctena operates an ISO/IEC 27001:2022 certified Information Security Management System covering the Software Factory and supporting corporate functions. This page documents the scope, the Statement of Applicability and the audit cadence.

Last reviewed
Next review
Owner
Information Security Office
Version
1.4.0
On this page

At a glance

Standard
ISO/IEC 27001:2022
Certified entity
Doctena S.A., 42 Rue de la Vallée, L-2661 Luxembourg
Certified since
December 2022 (initially under ISO/IEC 27001:2013)
Current certificate
ISO/IEC 27001:2022, valid to 22 December 2028
Statement of Applicability
v1.0 (2022-edition control set), approved 28 August 2025
Audit cadence
Annual plus on-change

Scope of certification

The certified Information Security Management System (ISMS) covers Doctena's software development and cloud-operations teams (the "software factory"), the product-management and customer-support teams for those products, and the supporting corporate functions:

  • Software factory. Software development and cloud operations, together with product management and customer support for those products.
  • Corporate functions. Corporate management, information security, internal IT, sales, marketing, finance, human resources, legal, compliance and customer support.

The services within scope are the patient portal, Doctena Pro, the marketing website, the support system and CRM, and the protection of the personal health data they process. Hosting is on Amazon Web Services EU regions, and the scope is defined in accordance with the Statement of Applicability v1.0, approved 28 August 2025.

Statement of Applicability

The current Statement of Applicability is v1.0 (2022-edition control set), approved on 28 August 2025 by the Information Security Office. It maps every Annex A control of ISO/IEC 27001:2022 to a decision (Applicable / Not Applicable) with a justification, the controlling document, the responsible owner and the implementation status.

The SoA is reviewed at least annually and whenever a material change affects the scope. It rests on a documented set of internal security policies, all owned and approved by the Information Security Office, and each reviewed annually or on material change. We do not publish the SoA itself: a public, control-by-control map of our security measures would weaken the very posture it documents.

Internal and external audits

Doctena conducts an internal ISMS audit (ISO/IEC 27001 clause 9.2) against the standard and the SoA at least annually, and additionally when a material change to the ISMS or to the scope warrants it. The internal audit is outsourced to an external audit firm that is independent of the functions it audits and separate from our certification body.

Non-conformities, observations and improvement opportunities are recorded in the corrective-action register, allocated owners, and tracked through to closure with evidence. The register is reviewed regularly by the Information Security Office.

External audits follow the cadence mandated by ISO/IEC 17021-1: surveillance audits at least once a calendar year in the first and second year of each cycle, and a recertification audit every three years. The current certificate is issued against ISO/IEC 27001:2022 and remains subject to this audit cycle.

Penetration testing

We commission external penetration tests of the production infrastructure and applications at least once a year, plus a focused test whenever a significant architectural change goes live. The tests are carried out by an independent external IT security firm; findings are remediated and re-tested to confirm closure.

A redacted executive summary of the most recent test is available to customers under NDA on request.

Continual improvement

ISO 27001 is a management system, not a checklist. The Information Security Office meets regularly to review:

  • Status of the risk register and treatment plans.
  • Status of the corrective-action register from audits and incidents.
  • Status of training and awareness initiatives.
  • Sub-processor reviews and new supplier risk assessments.
  • Security objectives and KPIs (vulnerability remediation SLA, MFA coverage, phishing simulation results).

Certificate and verification

The current certificate is freely available to download, with no request or NDA required. It states the certificate number, the certified entity (Doctena S.A., 42 Rue de la Vallée, L-2661 Luxembourg), the certified scope and the validity window (valid to 22 December 2028). It also names our certification body, MSECB.

Download the ISO/IEC 27001:2022 certificate (PDF)

Certification status can also be verified independently of Doctena:

  • Through IAF CertSearch (iafcertsearch.org), the global database of accredited management-system certifications, now operated under Global ACI.
  • Directly with our certification body, MSECB, which is required under ISO/IEC 17021-1 (clause 8.1.2) to confirm the status of a certification on request.

Customers under NDA can additionally request:

  • The Statement of Applicability v1.0 (redacted for confidentiality).
  • The current Information Security Policy.
  • A summary of the latest penetration-test results.

For any of the documents above, email [email protected] with the organisation requesting access and we will respond within two business days.

ISO 27001:2022, covering Doctena's software factory and supporting corporate functions.

Also in this category

Compliance