HDS vs ISO 27001: health-data-hosting certification built on top of an ISMS
HDS is not an alternative to ISO 27001 — it requires ISO 27001 as a prerequisite and adds health-data-specific scope.
Relationship, scope and applicability
| Feature | HDS | ISO 27001 |
|---|---|---|
| Type | French health-data-hosting certification | General information security management system |
| Dependency | Requires ISO 27001 certification as a prerequisite | Standalone — no HDS dependency |
| Scope added | Health-data hosting, EEA residency, patient-data controls | Generic risk-based ISMS scope |
| Applies to | Third parties hosting/processing French health data | Any organisation, any data type |
| Geography | France-specific health data regime | Internationally recognised |
| Substitution | Does not replace ISO 27001 — extends it | Does not by itself satisfy HDS for health hosting |
| Certifying body | Accredited body assessing HDS-specific requirements | Accredited body assessing the ISO 27001 ISMS |
Health data hosting: HDS sits on top of ISO 27001
There is no either/or here. HDS certification has ISO 27001 as a formal prerequisite, so any organisation pursuing HDS must first hold (or achieve in parallel) a certified ISO 27001 ISMS. HDS then adds requirements specific to hosting personal health data on behalf of French healthcare organisations: health-data confidentiality and access controls, data sovereignty and EEA residency, and audit evidence tailored to patient data. ISO 27001 alone does not make you HDS-certified, and HDS does not replace ISO 27001 — it extends it for a specific regulated activity. The right framing for a roadmap is sequential: build the ISO 27001 foundation first, confirm certification, then layer the HDS-specific scope on top. HDS applies to third-party hosts and processors of French health data; healthcare establishments managing their own systems are generally exempt.
Build the ISO 27001 foundation and layer HDS with the HDS Copilot →Sequencing HDS on ISO 27001
- Achieve or run ISO 27001 certification first — it is a hard prerequisite
- Add health-data confidentiality and patient-access controls for HDS
- Confirm EEA data residency and sovereignty for hosted health data
- Prepare HDS-specific audit evidence on top of the existing ISMS
Frequently Asked Questions
Can I get HDS without ISO 27001?
No. HDS certification requires ISO 27001 certification as a prerequisite. You must hold a certified ISO 27001 ISMS before HDS-specific requirements are assessed.
Does ISO 27001 make me HDS certified?
No. ISO 27001 is the required foundation, but HDS adds health-data-hosting-specific requirements — patient-data controls, EEA residency, and sovereignty — that must be assessed separately on top of the ISMS.
Who needs HDS certification?
Any third-party provider hosting or processing personal health data for French healthcare organisations — cloud providers, SaaS vendors, and IT service companies. Healthcare establishments managing their own systems are generally exempt.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.