Information Risk Analysis in Laboratories Complying with ISO/IEC 17025 Standard

Authors

DOI:

https://doi.org/10.46299/j.isjea.20250405.05

Keywords:

Information risk analysis; ISO/IEC 17025; Laboratory Information Management System (LIMS); cybersecurity; IoT security; risk matrix; patch management; network segmentation; ISO/IEC 27005; NIST SP 800-30

Abstract

The rapid integration of digital technologies into testing and calibration laboratories has significantly increased both operational opportunities and information security risks. Compliance with ISO/IEC 17025:2017 requires laboratories not only to ensure the technical accuracy of testing and calibration activities but also to implement systematic information risk management practices. This paper presents a comprehensive study on the identification, analysis, and prioritization of information risks in a laboratory environment that employs a Laboratory Information Management System (LIMS), IoT devices, and cloud-based data infrastructures. The research adopts a hybrid methodology that combines qualitative tools (risk matrix and impact–probability assessment) with quantitative models (Common Vulnerability Scoring System, CVSS). Five predominant risks were identified: outdated and unpatched versions of LIMS, insecure IoT sensor communications, low staff cybersecurity awareness, weaknesses in cloud access control, and lack of logical network segmentation. Among these, unpatched LIMS platforms and insufficient staff awareness emerged as the most critical risks, each scoring high on both likelihood and impact, thus directly threatening laboratory accreditation and data integrity. The findings reveal that information risks in ISO/IEC 17025-compliant laboratories arise not only from technological vulnerabilities but also from human factors and insufficiently standardized processes. The absence of systematic patch management was identified as the most pressing risk, while inadequate network segmentation further exacerbates incident containment. To address these issues, the study proposes a set of mitigation strategies aligned with ISO/IEC 27001/27005, NIST SP 800-30, and ENISA best practices. Key recommendations include the adoption of automated patch management policies, implementation of network segmentation to isolate IoT devices from core systems, multi-factor authentication, encryption of sensitive data, and continuous staff training. The proposed framework enhances both compliance and resilience, ensuring that laboratories maintain the integrity, confidentiality, and availability of their information assets while meeting the requirements of ISO/IEC 17025 accreditation. Beyond compliance, this approach positions laboratories to effectively respond to evolving cybersecurity challenges in dynamic environments.

References

ISO/IEC 17025:2017 – General requirements for the competence of testing and calibration laboratories.

ISO/IEC 27005:2018 – Information security risk management.

NIST SP 800-30 Rev.1 – Guide for Conducting Risk Assessments.

Smith, J., et al. (2021). Security challenges in LIMS platforms. Journal of Laboratory IT Security, 15(3), 45–56.

ILAC (2020). ISO/IEC 17025 Implementation Guide. International Laboratory Accreditation Cooperation.

FIRST.org (2019). Common Vulnerability Scoring System v3.1: Specification Document.

Menabde, T., Otkhozoria, N., & Otkhozoria, V. (2024). Use of the theory of measurement uncertainty in procedures for data processing and results obtained by checking-calibration gas flow meters. International Science Journal of Engineering & Agriculture, 3(2), 40–46. https://doi.org/10.46299/j.isjea.20240302.03

Chkheidze, I., Otkhozoria, N., & Narchemashvili, M. (2021). EVALUATION OF MEASUREMENT QUALITY USING THE MONTE-CARLO METHOD. Universum, 65-70. doi: DOI: 10.32743/UniTech.2021.84.3-4.65-70

Azmaiparashvili, Z., & Otkhozoria, N. M. (2016). Identification of Two Sorts of Processes and Determining of Their Differences Criteria. Journal of Technical Science and Technologies,. https://doi.org/10.31578/jtst.v5i2.106

Lortkipanidze, N., & Otkhozoria, N. (2024). Navigating business excellence: The crucial role of information technology service management through best practice ITIL. Georgian Scientists, 6(1), 120–124. https://doi.org/10.52340/gs.2024.06.01.15

Otkhozoria, N., Petriashvili, L., Zhvania, T., & Imerlishvili, A. (2025). Advancing information system testing: challenges, methods, and practical recommendations. International Science Journal of Engineering & Agriculture, 4(2), 203–214. https://doi.org/10.46299/j.isjea.20250402.13

ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection — Information security management systems — Requirements. International Organization for Standardization, Geneva, 2022.

Benaim, E., & Humphreys, P. (2020). Risk management standards and guidelines in laboratories: Integration with ISO/IEC 17025. Journal of Risk Research, 23(6), 763–779. https://doi.org/10.1080/13669877.2019.1673805

Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(2), 92–100. https://doi.org/10.4236/jis.2013.42011

ENISA (2022). Cybersecurity for SMEs and laboratories: Practical guidelines for risk assessment and mitigation. European Union Agency for Cybersecurity. https://www.enisa.europa.eu

Zhang, J., Wang, L., & Zhang, H. (2021). IoT security risk assessment based on CVSS and Bayesian networks. Computers & Security, 106, 102270. https://doi.org/10.1016/j.cose.2021.102270

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14–30. https://doi.org/10.1016/j.cose.2015.11.001

Wangen, G., Snekkenes, E., & Hallstensen, C. (2018). A framework for estimating information security risk assessment method completeness. International Journal of Information Security, 17(6), 681–699. https://doi.org/10.1007/s10207-018-0415-0

Spring, J. M., Hatleback, E., & Householder, A. D. (2021). Time to patch: The relative effectiveness of vulnerability disclosure timelines. IEEE Security & Privacy, 19(5), 27–37. https://doi.org/10.1109/MSEC.2020.3048416

ENISA (2023). Cybersecurity Threat Landscape 2023. European Union Agency for Cybersecurity. https://www.enisa.europa.eu

Zhou, Y., Sun, Y., & Yang, S. (2021). Risk assessment model of industrial IoT systems based on attack graph and Bayesian networks. Future Generation Computer Systems, 119, 105–118. https://doi.org/10.1016/j.future.2021.01.025

Kure, H. I., Islam, S., & Razzaque, M. A. (2018). An integrated cyber security risk management approach for a cyber-physical system. Applied Sciences, 8(6), 898. https://doi.org/10.3390/app8060898

Downloads

Published

2025-10-01

How to Cite

Otkhozoria, N., Petriashvili, L., Zhvania, T., & Lortkipanidze, N. (2025). Information Risk Analysis in Laboratories Complying with ISO/IEC 17025 Standard. International Science Journal of Engineering & Agriculture, 4(5), 50–61. https://doi.org/10.46299/j.isjea.20250405.05

Issue

Vol. 4 No. 5 (2025): International Science Journal of Engineering & Agriculture

Section

Innovative Technologies

License

Copyright (c) 2025 Nona Otkhozoria, Lily Petriashvili, Taliko Zhvania, Nino Lortkipanidze

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Similar Articles

<< < 5 6 7 8 9 10 11 12 13 14 > >> 

You may also start an advanced similarity search for this article.