In October 2022, ISO released a major update to its flagship information security standard—ISO/IEC 27001. For a company like Halodoc, transitioning from the 2013 version to ISO/IEC 27001:2022 was not just a formality—it was a strategic investment in resilience and trust.

Why Upgrade from 2013 to 2022?

The 2013 version of ISO/IEC 27001 served us well. But over the past decade, the threat landscape has evolved dramatically. Cloud computing is now the norm, cyberattacks are more sophisticated, and privacy regulations like GDPR and Indonesia's UU PDP are setting higher expectations.

Failing to adopt the 2022 version isn't just a missed opportunity—it can mean losing competitive ground. As our partners and customers grow more security-conscious, outdated practices can translate into lost deals and eroded trust.

Our 5-Step Transition Framework

To transition effectively, we followed a five-phase process:

1. Gap Analysis
2. Policy & Procedure Updates
3. Technical Implementation
4. Internal Audit & Management Review
5. Recertification

Let’s break this down.

Step 1: Gap Analysis

We started by comparing our existing security program against the new requirements. Every clause and Annex A control was reviewed, and we mapped each one to our current policies, procedures, or technical safeguards. We used a status tracker (complete, in-progress, pending) to prioritize actions.

This structured inventory served as the blueprint for our transition project.

Step 2: Policy & Procedure Updates

Once we identified the gaps, we created action checklists and updated key ISMS documents like the Statement of Applicability (SoA), ISMS Policy, and Risk Register. One key example: for monitoring activities (A.8.16), we defined what should be monitored, set clear metrics, and outlined alerting and escalation protocols.

We also aligned our documentation with new controls rather than simply mapping old ones. This helped future-proof our ISMS and made it easier to explain our compliance posture to auditors.

Step 3: Technical Implementation

Here’s how we implemented the new controls introduced in Annex A:

• A.5.7 Threat Intelligence
  • The standard emphasizes the need to proactively identify threats. We addressed this by integrating SOCRadar and CrowdStrike Falcon into our monitoring ecosystem, providing us with insights from internal telemetry and external sources like the dark web. This helped us act faster on emerging threats while reducing triage time for the SOC team—critical from both operational and reputational perspectives. Learn more about it here.
• A.8.10 Information Deletion
  • Working with Legal and Compliance team, we defined data retention timelines and implemented S3 lifecycle rules to automate the archive and deletion process. For instance, in the context of Indonesian healthcare industry, electronic medical records (EMR) are required to be retained for at least 25 years after the last interaction, based on Permenkes No. 24 Tahun 2022 section 39.
• Halodoc also implement endpoint-level cleanup scripts using Manage Engine Endpoint Central. This not only met compliance needs but also reduced storage costs and endpoint clutter.

• A.5.23 Information Security for Cloud Services
  • We aligned AWS resource usage with our internal security policies. This included automating secrets rotation, enforcing resource-based IAM permissions, and tagging for environment and system segregation.
• From a business perspective, this not only enhanced our audit readiness but also simplified resource segregation across different systems and applications.

• A.8.9 Configuration Management
  • We applied an Infrastructure-as-Code (IaC) approach using Terraform combined with GitOps workflows. This enabled consistent, version-controlled deployments across environments and reduced the risk of drift. The benefit was not only technical stability but also business agility—new environments could be spun up securely and quickly. Click here to learn more about our Terraform implementation.
• A.8.11 Data Masking
  • During this implementation, we began by identifying all PII and PHI stored across our systems. We then leveraged automated tools to detect and apply masking to sensitive data within our data warehouse.
  • The challenge was ensuring dynamic masking didn't break existing data pipelines or affect dashboard usability for legitimate users. Click here to learn more about data masking governance in our data warehouse
• A.8.12 Data Leakage Prevention
  • Halodoc use Falcon Data Protection in the endpoint and Google Drive’s context-aware labels to control external data sharing.
  • While this offered robust protection, the rollout required a cultural shift—ensuring teams understood policy changes and how to handle exceptions without workarounds.

• A.8.16 Monitoring Activities
  • We centralized logs into our SIEM and tied alerts to operational SLAs. Tuning these alerts to avoid "alert-fatigue" while preserving responsiveness was the main challenge, especially during infrastructure scale-ups or new deployments.

• A.8.23 Web Filtering
  • Halodoc enforced browsing controls using curated blocklists from GitHub, proxy logs, and browser-based rules. The challenge came in striking a balance between security and usability, especially for technical teams that needed broader access for testing or research.
• A.8.28 Secure Coding
  • This control requires organization to embed secure coding practices. At Halodoc, we use Semgrep for static code analysis, automate secret detection in pull requests, elect internal security champions, and internal bug-bounty program. The biggest challenge was scaling these practices across diverse engineering squads while maintaining agility in our development pipelines. Click here for more details on our Semgrep integration.

Step 4: Internal Audit & Management Review

After implementation, our internal audit team validated each change as required by the standard. The results were presented in a management review meeting attended by senior leadership.

Step 5: Recertification

Lastly, we partnered with a globally accredited certification body for our recertification. Their audit conducted with interviews, site reviews, and control testing. Thanks to our structured preparation and team collaboration, the audit went smoothly.

Conclusion

For companies beginning their transition journey from the 2013 to the 2022 version of ISO/IEC 27001, our experience offers several takeaways. Start early and break the process into manageable phases. Collaborate widely across business, operations, and technical teams. Focus on real implementation evidence instead of just documentation. Most importantly, use this opportunity not just for compliance but as a catalyst to strengthen overall security posture. While the increased number of technical controls introduced new complexity, approaching the process with clear ownership, structure, and focus on measurable outcomes made our transition not only successful but also impactful and sustainable.

References

• Infra as Code using Terraform
• Threat Surface Management
• Cloud Security Platforms
• Data Governance Automation
• Code Review with Semgrep

About Halodoc

Halodoc is the number one all-around healthcare application in Indonesia. Our mission is to simplify and deliver quality healthcare across Indonesia, from Sabang to Merauke. 

Since 2016, Halodoc has been improving health literacy in Indonesia by providing user-friendly healthcare communication, education, and information (KIE). In parallel, our ecosystem has expanded to offer a range of services that facilitate convenient access to healthcare, starting with Homecare by Halodoc as a preventive care feature that allows users to conduct health tests privately and securely from the comfort of their homes; My Insurance, which allows users to access the benefits of cashless outpatient services in a more seamless way; Chat with Doctor, which allows users to consult with over 20,000 licensed physicians via chat, video or voice call; and Health Store features that allow users to purchase medicines, supplements and various health products from our network of over 4,900 trusted partner pharmacies. To deliver holistic health solutions in a fully digital way, Halodoc offers Digital Clinic services including Haloskin, a trusted dermatology care platform guided by experienced dermatologists.

We are proud to be trusted by global and regional investors, including the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek, and many more. With over USD 100 million raised to date, including our recent Series D, our team is committed to building the best personalized healthcare solutions — and we remain steadfast in our journey to simplify healthcare for all Indonesians.