Information Risk Analysis in Laboratories Complying with ISO/IEC 17025 Standard

The rapid integration of digital technologies into testing and calibration laboratories has significantly increased both operational opportunities and information security risks. Compliance with ISO/IEC 17025:2017 requires laboratories not only to ensure the technical accuracy of testing and calibration activities but also to implement systematic information risk management practices. This paper presents a comprehensive study on the identification, analysis, and prioritization of information risks in a laboratory environment that employs a Laboratory Information Management System (LIMS), IoT devices, and cloud-based data infrastructures. The research adopts a hybrid methodology that combines qualitative tools (risk matrix and impact–probability assessment) with quantitative models (Common Vulnerability Scoring System, CVSS). Five predominant risks were identified: outdated and unpatched versions of LIMS, insecure IoT sensor communications, low staff cybersecurity awareness, weaknesses in cloud access control, and lack of logical network segmentation. Among these, unpatched LIMS platforms and insufficient staff awareness emerged as the most critical risks, each scoring high on both likelihood and impact, thus directly threatening laboratory accreditation and data integrity. The findings reveal that information risks in ISO/IEC 17025-compliant laboratories arise not only from technological vulnerabilities but also from human factors and insufficiently standardized processes. The absence of systematic patch management was identified as the most pressing risk, while inadequate network segmentation further exacerbates incident containment. To address these issues, the study proposes a set of mitigation strategies aligned with ISO/IEC 27001/27005, NIST SP 800-30, and ENISA best practices. Key recommendations include the adoption of automated patch management policies, implementation of network segmentation to isolate IoT devices from core systems, multi-factor authentication, encryption of sensitive data, and continuous staff training. The proposed framework enhances both compliance and resilience, ensuring that laboratories maintain the integrity, confidentiality, and availability of their information assets while meeting the requirements of ISO/IEC 17025 accreditation. Beyond compliance, this approach positions laboratories to effectively respond to evolving cybersecurity challenges in dynamic environments.