In digital health and precision oncology, trust is everything. Patients, clinicians, collaborators, and investors all want to know that sensitive data is handled with the highest standards of security and that products are developed under rigorous quality systems. For Genomate Health, achieving certification in ISO/IEC 27001:2022 (information security) and ISO 13485:2016 (medical device quality management), alongside strengthening GDPR compliance, marked a pivotal step in transitioning from research to market readiness.
This is the story of how Genomate, supported by MedQAIR and ReadyTech Consulting, integrated security, quality, and privacy into a unified management system, while navigating multiple audits in record time.
Why Certification Mattered
When MedQAIR and ReadyTech first met with Genomate’s founders, Ioana S. (Chief Administrative Officer & General Counsel) and Istvan Petak MD, PhD, an oncologist and then CEO, their vision was clear: bring Genomate’s precision oncology platform to market in both the U.S. (via FDA) and Europe (via IVDR).
That path required a certified Quality Management System (ISO 13485), but also demanded evidence of strong information security practices (ISO 27001) and data protection (GDPR). Collaborators had already made it clear that ISO 27001 certification was a requirement to handle genomic reports and other sensitive data.
For Istvan, the motivation was always grounded in patient trust: “Putting patients first means not just creating innovative oncology solutions, but also proving that we can protect their data and deliver products with the highest integrity.”
The Challenge: Parallel Standards, Compressed Timelines
Genomate started with a solid foundation in GDPR compliance, thanks to ReadyTech’s earlier work. But ISO 27001 and ISO 13485 were greenfield.
Three challenges stood out:
1. Cultural shift – Creating records and documentation as evidence was new for the team and required a mindset change.
2. Technical lift – ISO 27001 demanded broad security controls, from access management to supplier risk, requiring deep involvement from engineering and IT.
3. Resource pressure – The team faced not one but two certification tracks, with internal audits and Stage 1 + Stage 2 audits for both ISO 27001 and ISO 13485 within just over a year.
The ISO 13485 timeline was particularly tight: after Stage 1, the auditors expected a nearly complete Medical Device File before Stage 2. With Stage 2 of ISO 27001 scheduled in between, this meant that the technical documentation for the device had to be drafted in record time.
The Collaboration: One Team, Many Strengths
To tackle this, Genomate partnered with MedQAIR and ReadyTech Consulting in a joint effort. Rather than treating quality, security, and privacy as silos, the decision was made to build a single integrated management system.
- MedQAIR brought deep expertise in management systems and medical device regulations. Ivo Flipse provided frameworks, templates, and years of experience guiding companies through audits.
- ReadyTech Consulting, represented by Iulia Gîţ and Ioana S., ensured GDPR obligations were embedded throughout and contributed to drafting and refining procedures.
- Genomate’s leadership and SMEs provided crucial ownership and insight:
- CTO, Peter Filotas– guided technical decisions for ISO 27001 controls.
- Head of Product, Dóra Tihanyi led documentation of product and data handling for ISO 13485.
- Ioana Stupariu – ensured cross-functional governance, HR, and legal integration.
Day-to-day, the collaboration was anchored in weekly syncs, task tracking in Jira, and regular Information Security Board meetings (a practice that continues today). Three rounds of internal audits (ISO 27001, ISO 13485, IVDR/FDA readiness) prepared the team for external reviews.
Most importantly, when deadlines grew tight, the entire Genomate team rallied. With MedQAIR providing templates and guidance, the team produced the bulk of the Medical Device File in just one month, fully traceable in Matrix Requirements, their chosen eQMS platform.
The Outcome: Certification Achieved
The results speak for themselves:
- ISO 27001:2022 – Stage 1 in February 2025 revealed scope disagreements, but the team quickly adapted, and Stage 2 in April closed with zero nonconformities.
- ISO 13485:2016 – Stage 1 in March highlighted the need for more advanced technical documentation. By June, the team had produced a nearly complete Medical Device File and passed Stage 2 with only three minor nonconformities.
- GDPR – Privacy compliance was reinforced throughout, ensuring patient data handling was aligned with EU Regulation 2016/679.
All audits were conducted by BSI, one of the most respected certification bodies, adding weight to the achievement.
In just over a year from kickoff, Genomate had secured certifications in both information security and medical device quality management, while embedding privacy compliance into its processes.
Lessons for Other MedTech Innovators
Genomate’s journey highlights several important lessons for other startups and SMEs in digital health:
- Integrate, don’t silo – ISO 27001 and ISO 13485 share many common elements (document control, internal audits, CAPA, supplier management, management review). Building one integrated system saves time and effort.
- Start documentation early – Don’t wait until audit season to build your Medical Device File. It takes time to document years of R&D work in a traceable way.
- Be realistic with audits – Aggressive plans often backfire. Genomate succeeded by adjusting to achievable timelines and tackling each audit with confidence.
- Engage the team – Compliance is not a one-person show. Genomate’s biggest strength was the company-wide commitment to getting it done.
Looking Ahead
For Genomate, these certifications are more than certificates on the wall. They are the foundation for transitioning from R&D into regulated markets, demonstrating to investors and partners that the company can meet demanding global standards.
For patients, it is reassurance that their data—and their health—are protected with the highest levels of security, quality, and accountability.
For MedQAIR and ReadyTech, it is proof that collaboration works: when regulatory, security, and privacy expertise come together, even ambitious certification goals can be achieved in record time.
With ISO 27001 and ISO 13485 certifications in place, and GDPR compliance embedded, Genomate is now well-positioned to bring its precision oncology solutions to patients in Europe and beyond.
