ISO 27001 & HDS: How ClinSearch Set the Standard for CRO Data Hosting in France

At ClinSearchsafeguarding clinical data and upholding the highest standards of regulatory compliance are fundamental to our operations. As an ISO 27001 et Health Data Host (HDS) certified organisation,  our activities are structured in accordance with internationally recognised standards for information security and health data protection. These certifications formalise robust data governance practices, reinforce secure digital environments for clinical data collection and management, and ensure alignment with evolving regulatory standards.

In this blog post, we explain why these certifications are essential, how we have anticipated regulatory changes, and the benefits they bring to our customers.

The insights that follow are drawn from an interview with Samia ABBOUTE, our Quality System Manager, conducted by LNE, our partner for ISO 27001 and HDS certifications.

ISO 27001 & HDS: a strong commitment to compliance and data protection

In 2022, the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés CNIL) issued two sets of guidelines* regulating early access and compassionate use procedures (Accès précoce/Accès compassionnel – AP/AC). This marked a major step in reforming exceptional access to medicines, which had previously relied on temporary use authorizations (ATU) and temporary use recommendations (RTU). The guidelines aim to simplify and harmonize procedures, accelerate patient access to treatments, and ensure the financial sustainability of the system.

In this context, the French National Authority for Health (Haute Autorité de SantéHAS) authorizes the implementation of an AP/AC and requires laboratories to collect data and submit regular reports to continuously monitor the efficacy of treatments. To carry out this data collection, laboratories may call on CROs, and ClinSearch is frequently called upon to assist with these processes.

The CNIL simultaneously published two security standards to regulate this process of collection of health data, which is now no longer considered research but part of healthcare. As a result, CROs must work with HDS-certified hosting to comply with these standards. Following a legal analysis of the regulatory framework, we identified the need to obtain HDS certification ourselves—at a minimum for the 5th activity, as defined in Article R.1111-9 of the French Public Health Code—to ensure full compliance, and anticipated that laboratories using our services would eventually require it.

We therefore made the strategic decision to proactively obtain HDS certification, for which ISO 27001 is a prerequisite. Beyond meeting the minimum regulatory requirement, this certification now covers the full scope of HDS activities (1 to 6), reflecting our commitment to a higher level of security and accountability. Today, information management within our data collection platform and all associated analyses are conducted in an HDS-certified environment, guaranteeing security, compliance, and reliability for our clients and for patients whose data we process.

*References: Resolution No. 2022-107 and Resolution No. 2022-106.

Certifications that enhance the reliability of our services

Obtaining ISO 27001 et HDS certifications was a crucial step in strengthening our security practices. While awareness of digital risks was already part of our internal culture, these initiatives have enabled us to further structure our processes and consolidate all of our systems.

Before certification, our Chief Information Security Officer had implemented several technical measures, supplemented by regular awareness campaigns among our teams. The certifications have brought additional benefits, including:

• a deeper understanding and assessment of risks,

• a more rigorous organization of actions to reduce or eliminate identified risks,

• systematic and planned monitoring, promoting continuous improvement in the effectiveness of the measures put in place.

Beyond the technical aspects, these certifications strengthen our customers’ confidence. A survey conducted in 2023 reveals that 77% of them consider ISO 27001 certification to be a decisive asset. They also highlight the significant, and often critical importance of partnering with a certified CRO, thus confirming the soundness of our strategy.

Finally, these certifications give us a major competitive advantage. They facilitate compliance with qualification questionnaire requirements and open the door to new business opportunities.

Learn more by reading the full interview from LNE with Samia ABBOUTE our Quality System Manager: Clinsearch testimonial

Or you can also watch this interview with Mariano GENERA, our Business Developer and Marketing Manager, where he talks about our certifications and all their advantages: ClinSearch – ISO 27001 certifications and Health Data Hosting Providers

Faster CE Marking & MDR Compliance: ClinSearch Launches Medical Device Certification Support

We are joining forces with Qualicom to enhance our offering for Medical Device Developers looking for certification.

The Evolving Challenges of Medical Device Certification 

Bringing a medical device to market has never been more complex. Under MDR or UKCA, the path to certification is long, technical, and filled with regulatory pitfalls. Companies face increasingly rigorous expectations from notified bodies, complex documentation requirements, and heightened scrutiny on clinical evidence et risk management. This is why ClinSearch is raising the bar with a smarter approach to certification

A New Way Forward: Introducing MedTech Certification Support

We are proud to announce the launch of MedTech certification support, a new regulatory service line dedicated to helping développeurs de dispositifs médicaux navigate the path to certification. Fueled by the alliance between ClinSearch’s extensive clinique et scientifique expertise with the la connaissance réglementaire approfondie de Qualicom (Led by David Francis, former Head of approved body), we offer our clients smarter, faster, and more reliable access to marketplus rapide, plus pertinent et plus sécurisé, fondé sur une expertise terrain et hands-on regulatory insight

MedTech Certification is designed to provide soutien de bout en bout to medical technology innovators through every step of certification, effectively réduire les risques the route to market. Whether you are a startup preparing your first submission or an established manufacturer addressing feedback from regulators, we propose targetedstrategic support, tailored to your needs and challenges. 

What We Offer

Nos flexible offering is adapted to each project’s stage and scale, and includes: 

  • Un accompagnement complet – expertise réglementaire, clinique, méthodologique et scientifique 
  • Une documentation accélérée – préparation optimisée des dossiers techniques et cliniques 
  • Stronger Notified Body alignment – positionnement et communication optimisés 
  • Une stratégie claire – prise de décision guidée dans un environnement réglementaire en constante évolution 

Your Trusted Partner in Medical Device Certification

ClinSearch continues to stand beside MedTech innovators, turning complexity into clarity, and challenges into progress. 

Ready to move forward? Contactez-nous or visit the MedTech certification support site to learn how we can help. 

About David Francis, Director of Qualicom

David Francis is a Chartered Engineer and European Engineer with over 25 years of experience in regulatory affairs, engineering, and certification. He has held senior positions at multiple notified bodies and regulatory consultancies, including: LNE-GMED UK (Head of approved body), Scarlet (Certification Lead), ICON plc / MedPass International (Director of Regulatory Affairs), TÜV SÜDLloyd’s Register, and BSI Group.  

After stepping down from his position as Head of LNE-GMED UK, David founded Qualicom, with the mission of supporting innovation et improving regulatory outcomes for medical device and digital health developers.

From the Inside: A Conversation with David Francis

We sat down with David to better go through the challenges and opportunities facing MedTech innovators today.  

Q: David, the regulatory landscape for medical devices has changed dramatically in recent years. What are the biggest challenges you see today under MDR or UKCA? 

A: The biggest challenges include limited Notified Bodies causing certification delays, complex documentation requirements, and ongoing regulatory uncertainty, even with extended MDR deadlines. In the UK, manufacturers must prepare for a new conformity assessment process once CE marking recognition ends. The MHRA’s ongoing regulatory revisions add another layer of complexity. Overall, navigating evolving regulations while maintaining market access remains tough for many developers.

Q: Are we past the initial bottlenecks caused by MDR implementation, or do major hurdles remain? 

A: While more Notified Bodies are now designated and many manufacturers have transitioned, bottlenecks remain, especially for SMEs and complex devices. Wait times for audits can still be 12–18 months, and many legacy devices risk losing market access if deadlines are missed. High compliance costs and resource demands continue to challenge manufacturers.

Q: What are the most common pitfalls manufacturers face when approaching certification? 

A: Common pitfalls include underestimating MDR complexity, misclassifying devices, weak clinical evidence, late engagement with Notified Bodies, incomplete or inconsistent technical documentation, and poor post-market planning. Many also struggle with UDI implementation, labeling compliance, and internal resource constraints. Overall, lacking dedicated regulatory expertise often leads to gaps in compliance planning.

Q: How can this partnership between ClinSearch and Qualicom help MedTech developers navigate these complexities more effectively? 

A: Our MedTech Certification Support combines deep regulatory expertise from Qualicom with ClinSearch’s clinical and scientific know-how to add value across your entire product life cycle. From strategic regulatory planning and technical documentation support, to generating robust clinical evidence and post-market surveillance. We help prepare manufacturers for Notified Body engagement and audits, optimize quality management systems, and ensure smoother market access, saving time, costs, and reducing risks.

Q: You’ve worked inside some of the top Notified Bodies. How does that shape your strategic approach? 

A: Having worked for a number of major Notified Bodies, I have a strong operational knowledge and understanding of reviewers’ expectations. This insight helps us build robust submissions, anticipate audit triggers, and provide our clients with strategic guidance to reduce surprises and speed up certification.

Q: Any final thoughts for MedTech innovators planning their next move? 

A: Start early and be strategic. Align your product, evidence, and documentation with regulatory expectations from day one. Clear, compliant submissions speed reviews and reduce delays. A specialised medical device consultancy can be a critical partner for developers. Partner with experts, especially those who have sat on the other side of the table and know the regulatory system inside out. That knowledge is your competitive advantage.