VCare International Ltd is ISO/IEC 27001:2022 certified under the central management system of Concept Engineering Ltd.
VCare delivers aged care software operating within the ISO/IEC 27001:2022 certified Information Security Management System (ISMS) of Concept Engineering. As a result, all 93 Annex A controls are implemented and maintained, helping protect the health data of residents, patients, and care providers across every platform we operate.
Certification applies to the Information Security Management System (ISMS) of Concept Engineering.
Our Commitment to Information Security
VCare holds information security to the highest standard because the people who use our platform trust us with their most sensitive data. For this reason, security is built into everything we do.
What is ISO 27001?
ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS), setting out how organisations should design and maintain effective security practices. It provides a structured framework of policies, procedures, and controls to help manage information security risks.
In addition, certification requires an independent third-party audit, followed by ongoing reviews to maintain compliance. As a result, it cannot be self-declared and must be continuously validated over time.
What ISO 27001 Means for VCare Customers
Healthcare data is among the most sensitive types of personal information. For this reason, our ISO 27001 certified processes provide assurance that the right controls, governance, and processes are in place to protect resident records, clinical data, and business information.
In addition, you can request our compliance documentation, including our Information Security Policy and Risk Assessment at any time.
Independent third-party audit
Our ISO 27001 certification is issued by an accredited certification body and verified through annual surveillance audits, along with a full recertification every three years.
As a result, our aged care software continues to meet evolving security requirements as our technology and the threat landscape change.
Continuous improvement
ISO 27001 certification is not a one-time achievement. Instead, our ISMS follows a continuous improvement approach that includes regular risk assessments, management reviews, and internal audits.
This ensures that any issues are addressed promptly and that improvements are consistently implemented. Ultimately, security is embedded in everything we build and every process behind our aged care software.
All 93 ISO 27001:2022 Controls
Every control in Annex A of ISO/IEC 27001:2022 has been implemented and independently verified. All controls apply to Concept Engineering’s information security management system.
A.5 — Organizational Controls
Governance frameworks, policies, and information security management
1. Governance and Leadership:
- 5.1 Policies for information security
- 5.2 Information security roles and responsibilities
- 5.4 Management responsibilities
2. External Engagement & Intelligence:
- 5.5 Contact with authorities
- 5.6 Contact with groups
- 5.7 Threat intelligence
3. Security in Delivery & Operations:
- 5.3 Segregation of duties
- 5.8 Security in project management
4. Asset & Information Management:
- 5.9 Inventory of assets
- 5.10 Acceptable use
- 5.11 Return of assets
- 5.12 Classification
- 5.13 Labelling
- 5.14 Information transfer
5. Identity & Access Management:
- 5.15 Access control
- 5.16 Identity management
- 5.17 Authentication
- 5.18 Access rights
6. Supplier & Third-Party Security:
- 5.19 Information security in supplier relationships
- 5.20 Addressing information security within supplier agreements
- 5.21 Managing information security in the ICT supply chain
- 5.22 Monitoring, review and change management of supplier services
- 5.23 Information security for use of cloud services
7. Resilience & Business Continuity:
- 5.29 Information security during disruption
- 5.30 ICT readiness for business continuity
8. Asset & Information Management:
- 5.31 Legal, statutory, regulatory and contractual requirements
- 5.32 Intellectual property rights
- 5.33 Protection of records
- 5.34 Privacy and protection of personally identifiable information
9. Audit & Operational Discipline:
- 5.35 Independent review of information security
- 5.36 Compliance with policies, rules and standards for information security
- 5.37 Documented operating procedures
A.6 — People Controls
Human resource security, training, and personnel obligations
1. Hiring & Employment Foundations:
- 6.1 Screening
- 6.2Terms and conditions of employment
2. Security Awareness & Culture:
- 6.3 Information security awareness, education and training
3. Accountability & Behaviour:
- 6.4 Disciplinary process
- 6.8 Information security event reporting
4. Employment Lifecycle Security:
- 6.5 Responsibilities after termination or change of employment
- 6.6 Confidentiality or non-disclosure agreements
5. Remote & Flexible Working:
- 6.7 Remote working
A.7 — Physical Controls
Physical security, environmental protection, and secure facilities
1. Secure Facilities & Access:
- 7.1 Physical security perimeters
- 7.2 Physical entry
- 7.3 Securing offices, rooms and facilities
- 7.6 Working in secure areas
2. Monitoring & Environmental Protection:
- 7.4 Physical security monitoring
- 7.5 Protecting against physical and environmental threats
3. Workspace Security Practices:
- 7.7 Clear desk and clear screen
4. Equipment & Asset Protection:
- 7.8 Equipment siting and protection
- 7.9 Security of assets off-premises
- 7.10 Storage media
5. Infrastructure & Utilities:
- 7.11 Supporting utilities
- 7.12 Cabling security
6. Lifecycle Management of Equipment:
- 7.13 Equipment maintenance
- 7.14 Secure disposal or re-use of equipment
A.8 — Technological Controls
Technical security measures, secure development, and infrastructure protection
1. Endpoint & Access Security:
- 8.1 User endpoint devices
- 8.2 Privileged access rights
- 8.3 Information access restriction
- 8.4 Access to source code
- 8.5 Secure authentication
2. System Protection & Hardening:
- 8.6 Capacity management
- 8.7 Protection against malware
- 8.8 Management of technical vulnerabilities
- 8.9 Configuration management
3. Data Protection & Handling:
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.13 Information backup
4. Resilience & Availability:
- 8.14 Redundancy of information processing facilities
5. Logging, Monitoring & Control:
- 8.15 Logging
- 8.16 Monitoring activities
- 8.17 Clock synchronisation
6. System Operations & Controls:
- 8.18 Use of privileged utility programs
- 8.19 Installation of software on operational systems
7. Network Security:
- 8.20 Networks security
- 8.21 Security of network services
- 8.22 Segregation of networks
- 8.23 Web filtering
8. Cryptography & Encryption:
- 8.24 Use of cryptography
9. Secure Development Practices:
- 8.25 Secure development life cycle
- 8.26 Application security requirements
- 8.27 Secure system architecture and engineering principles
- 8.28 Secure coding
- 8.29 Security testing in development and acceptance
- 8.30 Outsourced development – Not Applicable
10. Environment & Change Control:
- 8.31 Separation of development, test and production environments
- 8.32 Change management
- 8.33 Test information
11. Audit Protection:
- 8.34 Protection of information systems during audit testing
Request Compliance Documents
Our compliance documentation is available to customers, prospective customers, and partners upon request. All documents are kept up to date, reflecting our current ISO 27001:2022 certification status.
Information Security Policy
Our master ISMS policy — the top-level commitment to information security management
Business Continuity Plan
Our ICT and business continuity strategy, covering recovery time objectives and resilience measures.
Privacy Policy
How we collect, handle, store, and protect personally identifiable information under applicable privacy law.