I’ve been asked to develop a project which stores sensitive data and complies to the same security practices as the NHS (I’m in the UK). Can anyone who has experience with this offer advice?
I don’t know whether I myself (a freelancer) needs to be ISO 27001 accredited or just my hosting provider?
I usually use forge and DigitalOcean to manage/host my servers but I can’t find much info about ISO 27001 from DO. Would managed hosting from someone like Rackspace be simpler for me to meet the standards?
Is there anything outside of the usual Laravel authorisation and authentication practices that I need to do in order to comply? Encrypting the database etc.?
You will need to check this with UK laws I guess. But I highly doubt NHS uses Digital Ocean.
You would probably be better off with a Managed Hosting that your client can set up and provide you access to. This way you (a freelancer) will be cleared if something went wrong (EG servers hacked) and you will be able to just focus on the code side of things.
As for everything else, you could do encryption pretty easily with newer versions of Laravel.
Thanks @devingray_ I agree that managed hosting is the best solution here and will likely go down that route. What I'm wondering though is if the hosting provider is ISO/IEC 27001 acredited - do I need to be certified for it as well?
