Shockwave Medical Case Study

BARR Advisory’s flexibility and collaboration guides Shockwave Medical to achieve ISO 27001 + increased business growth.

At a Glance

Shockwave Medical is a medical device company focused on developing and commercializing transformational technologies for the treatment of cardiovascular disease. The company aims to establish a new standard of care for the medical device treatment of atherosclerotic cardiovascular disease through differentiated and proprietary local delivery of sonic pressure waves for the treatment of calcified plaque, which is referred to as intravascular lithotripsy.

The Challenge

In today’s evolving threat landscape, healthcare organizations are increasingly vulnerable to cyber-attacks. As a pioneer in the development of medical technology, Shockwave Medical collaborates with many different professionals and entities to ease the care for patients of calcified cardiovascular disease. Shockwave’s cross-functional environment comes with potential risks, and the organization was challenged with communicating across teams and external parties to ensure successful compliance.

Shockwave wanted to address potential risks through an efficient and comprehensive security framework. Beyond its sustained SEC filings, GDPR compliance, and FDA approval, Shockwave knew that an ISO 27001 certification would help it demonstrate a more mature security posture. It also knew the thoroughness of the framework’s controls would cover all its bases—from technical to human resources to legal and beyond. And with a rising international client base, Shockwave wanted to certify to an internationally accepted framework like ISO 27001.

Because of the nature of our work, it’s critical for us to demonstrate compliance to medical teams, stakeholders, leadership, and all other parties involved. We knew it was crucial to bring everything together and identify potential findings we might need to remediate.

David Borkowski
Manager of Cybersecurity Risk and IT Compliance
Shockwave Medical

The Solution

Shockwave began the search for its perfect auditor. It interviewed several other firms, but BARR stood out as friendly, collaborative, and flexible to meet Shockwave’s goal of achieving ISO 27001 certification by its intended deadline. “The relationship with BARR was fantastic from the start,” said Borkowski, adding, “During our search for an auditing firm, BARR’s approach felt more like a collaborative inspection of how we do things versus a simple pass/fail assessment. BARR treated us like partners from our very first conversation.”

With a timeline and goal initiated, Shockwave and BARR moved forward with an ISO 27001 engagement. BARR’s auditors demonstrated a deep understanding of Shockwave’s control environment and how to present appropriate evidence. They identified the relevant controls to fit Shockwave’s unique needs and assured it was compliant.

“BARR was extremely flexible with our schedule. We were able to push back deadlines if needed while, at the same time, staying efficient and completing each stage of our audit on time,” said Borkowski. “Through BARR’s transparency, we knew exactly what to expect ahead of time. BARR had the right people on each call, helped create efficiencies throughout the process, and was readily available to address unexpected needs.”

I’ve been through many audits throughout my career, which can sometimes be painful. With BARR, it was different. Our engagement team served as our true partner and helped us continue working toward potential security and compliance measures. It was the best audit experience I’ve ever participated in.

David Borkowski
Manager of Cybersecurity Risk and IT Compliance
Shockwave Medical

The Results

Through the engagement process, Shockwave gained more than an ISO 27001 certification. It developed confidence in its security and compliance processes and aligned with new goals, like implementing the NIST Cybersecurity Framework and transitioning to the 2022 version of ISO 27001. Shockwave is now positioned to further contracts with critical health systems and agencies like the Department of Defense.

Through a strengthened security and compliance posture, Shockwave can focus on developing technology for the medical field and accomplishing its underlying goal—improving the quality of life for patients.

After achieving ISO 27001 certification, Shockwave experienced:

A successful ISO 27001 audit with zero identified nonconformities.

Strong positioning for future contracts with critical health systems.

A seamless transition into a broader international client base.

Increased business growth and greater confidence in its compliance processes.

A true partnership for current and future security and compliance goals.

BARR not only helped us achieve an ISO 27001 certification within our timeline, but it gave us the confidence to bring up questions or concerns. During our engagement, we weren’t afraid to show our auditors what we do and why we do it. They listened to our needs and consulted us through the process. In the future, we’re looking to work with BARR on new and exciting security and compliance goals.

David Borkowski
Manager of Cybersecurity Risk and IT Compliance
Shockwave Medical

Contact Us for a Free Consultation

We’re here to help you!
Speak with a BARR specialist about your security and compliance needs.