Independently audited information security for Irish care providers.
VCare is delivered within the ISO/IEC 27001:2022 certified information security management system (ISMS) of Concept Engineering, ensuring structured controls are in place to manage risk and safeguard sensitive clinical and operational data.
Why This Matters in Ireland
Residential care providers in Ireland manage highly sensitive personal and clinical information every day. With increasing regulatory expectations under GDPR and ongoing HIQA inspections, having strong information security practices is essential.
Working with VCare, an ISO 27001 certified organisation provides assurance that structured processes are in place to manage risk, protect data, and maintain consistent security practices across systems and services.
What is ISO 27001?
ISO 27001 is an internationally recognised standard for information security management. It sets out how organisations identify risks, implement controls, and maintain processes to protect sensitive information.
What ISO 27001 Means for Irish Care Providers
Working with an ISO 27001 certified organisation means your systems and services are supported by structured, independently validated security and risk management practices.
Working with an ISO 27001 Certified Organisation in Ireland
Working with an ISO 27001 certified organisation means your systems and services are supported by structured, independently validated security practices—helping protect sensitive data and reduce risk.
Continuous Improvement of Security Practices
ISO 27001 certification is not a one-time achievement. Our ISMS follows a continuous improvement approach, with regular reviews, audits, and risk assessments to ensure security practices remain effective and up to date.
Security and Compliance Resources
We provide access to supporting security and compliance information to assist with due diligence processes.
Available on request:
- ISO/IEC 27001 Certificate
- Information Security Policy (summary)
- Risk Management Approach
- Data Protection and Privacy Overview
- Security Questionnaire responses
All 93 ISO 27001:2022 Controls
All 93 ISO/IEC 27001:2022 Annex A controls are implemented and independently verified as part of our certified information security management system.
A.5 — Organizational Controls
Governance frameworks, policies, and information security management
1. Governance and Leadership:
- 5.1 Policies for information security
- 5.2 Information security roles and responsibilities
- 5.4 Management responsibilities
2. External Engagement & Intelligence:
- 5.5 Contact with authorities
- 5.6 Contact with groups
- 5.7 Threat intelligence
3. Security in Delivery & Operations:
- 5.3 Segregation of duties
- 5.8 Security in project management
4. Asset & Information Management:
- 5.9 Inventory of assets
- 5.10 Acceptable use
- 5.11 Return of assets
- 5.12 Classification
- 5.13 Labelling
- 5.14 Information transfer
5. Identity & Access Management:
- 5.15 Access control
- 5.16 Identity management
- 5.17 Authentication
- 5.18 Access rights
6. Supplier & Third-Party Security:
- 5.19 Information security in supplier relationships
- 5.20 Addressing information security within supplier agreements
- 5.21 Managing information security in the ICT supply chain
- 5.22 Monitoring, review and change management of supplier services
- 5.23 Information security for use of cloud services
7. Resilience & Business Continuity:
- 5.29 Information security during disruption
- 5.30 ICT readiness for business continuity
8. Asset & Information Management:
- 5.31 Legal, statutory, regulatory and contractual requirements
- 5.32 Intellectual property rights
- 5.33 Protection of records
- 5.34 Privacy and protection of personally identifiable information
9. Audit & Operational Discipline:
- 5.35 Independent review of information security
- 5.36 Compliance with policies, rules and standards for information security
- 5.37 Documented operating procedures
A.6 — People Controls
Human resource security, training, and personnel obligations
1. Hiring & Employment Foundations:
- 6.1 Screening
- 6.2Terms and conditions of employment
2. Security Awareness & Culture:
- 6.3 Information security awareness, education and training
3. Accountability & Behaviour:
- 6.4 Disciplinary process
- 6.8 Information security event reporting
4. Employment Lifecycle Security:
- 6.5 Responsibilities after termination or change of employment
- 6.6 Confidentiality or non-disclosure agreements
5. Remote & Flexible Working:
- 6.7 Remote working
A.7 — Physical Controls
Physical security, environmental protection, and secure facilities
1. Secure Facilities & Access:
- 7.1 Physical security perimeters
- 7.2 Physical entry
- 7.3 Securing offices, rooms and facilities
- 7.6 Working in secure areas
2. Monitoring & Environmental Protection:
- 7.4 Physical security monitoring
- 7.5 Protecting against physical and environmental threats
3. Workspace Security Practices:
- 7.7 Clear desk and clear screen
4. Equipment & Asset Protection:
- 7.8 Equipment siting and protection
- 7.9 Security of assets off-premises
- 7.10 Storage media
5. Infrastructure & Utilities:
- 7.11 Supporting utilities
- 7.12 Cabling security
6. Lifecycle Management of Equipment:
- 7.13 Equipment maintenance
- 7.14 Secure disposal or re-use of equipment
A.8 — Technological Controls
Technical security measures, secure development, and infrastructure protection
1. Endpoint & Access Security:
- 8.1 User endpoint devices
- 8.2 Privileged access rights
- 8.3 Information access restriction
- 8.4 Access to source code
- 8.5 Secure authentication
2. System Protection & Hardening:
- 8.6 Capacity management
- 8.7 Protection against malware
- 8.8 Management of technical vulnerabilities
- 8.9 Configuration management
3. Data Protection & Handling:
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.13 Information backup
4. Resilience & Availability:
- 8.14 Redundancy of information processing facilities
5. Logging, Monitoring & Control:
- 8.15 Logging
- 8.16 Monitoring activities
- 8.17 Clock synchronisation
6. System Operations & Controls:
- 8.18 Use of privileged utility programs
- 8.19 Installation of software on operational systems
7. Network Security:
- 8.20 Networks security
- 8.21 Security of network services
- 8.22 Segregation of networks
- 8.23 Web filtering
8. Cryptography & Encryption:
- 8.24 Use of cryptography
9. Secure Development Practices:
- 8.25 Secure development life cycle
- 8.26 Application security requirements
- 8.27 Secure system architecture and engineering principles
- 8.28 Secure coding
- 8.29 Security testing in development and acceptance
- 8.30 Outsourced development – Not Applicable
10. Environment & Change Control:
- 8.31 Separation of development, test and production environments
- 8.32 Change management
- 8.33 Test information
11. Audit Protection:
- 8.34 Protection of information systems during audit testing
Request Compliance Documents
Our compliance documentation is available to customers, prospective customers, and partners upon request. All documents are kept up to date, reflecting our current ISO 27001:2022 certification status.
Information Security Policy
Our master ISMS policy — the top-level commitment to information security management
Business Continuity Plan
Our ICT and business continuity strategy, covering recovery time objectives and resilience measures.
Privacy Policy
How we collect, handle, store, and protect personally identifiable information under applicable privacy law.