Skip to main content
Breach Notification Procedures in ISO 27799

Breach Notification Procedures in ISO 27799

$349.00
How you learn:
Self-paced • Lifetime updates
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
When you get access:
Course access is prepared after purchase and delivered via email
Your guarantee:
30-day money-back guarantee — no questions asked
Who trusts this:
Trusted by professionals in 160+ countries
Adding to cart… The item has been added

This curriculum spans the full lifecycle of breach notification under ISO 27799, equivalent in depth to an internal incident response capability program developed through sustained advisory engagement with legal, compliance, and information security functions across a multinational healthcare organisation.

Module 1: Understanding Legal and Regulatory Frameworks for Breach Notification

  • Determine jurisdictional applicability of breach notification laws (e.g., HIPAA, GDPR, PIPEDA) based on patient location and data residency.
  • Map mandatory reporting timelines across overlapping regulations when handling multinational health data.
  • Establish thresholds for reportable breaches under each applicable law, including risk-of-harm assessments.
  • Identify designated regulatory authorities for breach reporting in each jurisdiction of operation.
  • Document legal exceptions to notification requirements, such as low probability of compromise.
  • Implement procedures to preserve legal privilege during internal breach investigations.
  • Integrate regulatory change monitoring into the compliance calendar to update policies proactively.
  • Coordinate with legal counsel to standardize interpretation of ambiguous regulatory language.

Module 2: Defining Breach Classification and Severity Criteria

  • Develop a classification matrix based on data type (e.g., diagnosis, genetic, billing) and exposure method (e.g., lost device, phishing).
  • Assign severity levels using impact dimensions: sensitivity, volume, accessibility, and re-identification risk.
  • Define clear decision rules for distinguishing incidents from reportable breaches.
  • Implement peer review for borderline cases to reduce subjectivity in classification.
  • Configure SIEM rules to flag events that meet predefined severity thresholds automatically.
  • Document rationale for downgrading high-severity alerts when justified by context.
  • Align internal severity ratings with external reporting expectations to avoid under- or over-reporting.
  • Update classification criteria annually based on incident trend analysis.

Module 3: Activating the Incident Response and Notification Workflow

  • Trigger the incident response team within 30 minutes of confirmed breach identification.
  • Assign roles in the breach response: incident lead, legal liaison, communications officer, technical investigator.
  • Initiate chain-of-custody documentation for all forensic evidence collected.
  • Freeze affected systems when necessary, balancing investigation needs with clinical continuity.
  • Deploy breach-specific runbooks that integrate with existing ITIL processes.
  • Validate that all response actions comply with internal policies and regulatory requirements.
  • Log all decisions and actions in a centralized incident management system for auditability.
  • Escalate to executive leadership within two hours for breaches affecting more than 500 individuals.

Module 4: Conducting Forensic Investigation and Impact Assessment

  • Preserve logs from EHR systems, authentication servers, and network devices for at least 180 days post-breach.
  • Determine the scope of data accessed or exfiltrated using log correlation and user activity analysis.
  • Interview involved personnel while ensuring statements do not compromise legal defensibility.
  • Engage third-party forensic experts when internal capabilities are insufficient or independence is required.
  • Estimate the time window of unauthorized access using timestamp analysis across systems.
  • Assess whether encryption was active on compromised devices at the time of loss or theft.
  • Document the investigation methodology to support regulatory inquiries and potential litigation.
  • Produce a written impact assessment that quantifies affected individuals and data categories.

Module 5: Coordinating Internal and External Communications

  • Draft breach notification templates pre-approved by legal and compliance teams for rapid deployment.
  • Restrict public statements to authorized spokespersons to prevent inconsistent messaging.
  • Notify business associates of breaches involving shared data within 24 hours of confirmation.
  • Prepare FAQ documents for staff to address patient inquiries consistently.
  • Coordinate with public relations to manage media outreach without disclosing investigatory details.
  • Log all external communications for regulatory and audit purposes.
  • Notify supervisory authorities using prescribed formats and secure channels.
  • Establish a dedicated call center or web portal for affected individuals within 72 hours.

Module 6: Executing Patient Notification Procedures

  • Verify contact information for affected individuals from the most recent EHR records.
  • Choose notification method (mail, email, phone) based on risk level and regulatory requirements.
  • Include required content in patient notices: nature of breach, data involved, mitigation steps, contact details.
  • Send expedited notifications to individuals at high risk of identity theft or harm.
  • Provide credit monitoring services only when risk assessment justifies the expense and regulatory expectation.
  • Maintain a log of all notifications sent, including delivery confirmation and opt-out records.
  • Offer multilingual notification letters in regions with diverse patient populations.
  • Document exceptions for substitute notifications when direct contact is not feasible.

Module 7: Managing Regulatory Reporting Obligations

  • Submit breach reports to HHS OCR within 60 days of discovery for incidents affecting 500+ individuals.
  • File annual summaries for smaller breaches as required by HIPAA.
  • Use standardized data fields in regulatory submissions to ensure consistency and completeness.
  • Obtain legal sign-off before submitting reports that may trigger audits or enforcement actions.
  • Archive all regulatory correspondence and case numbers for long-term reference.
  • Respond to regulator inquiries within mandated timeframes using pre-approved response templates.
  • Report cross-border breaches to all relevant data protection authorities based on data flows.
  • Update breach registers in real time to support regulatory reporting and internal oversight.

Module 8: Implementing Post-Breach Remediation and Controls

  • Conduct a root cause analysis using methods such as 5 Whys or Fishbone diagrams.
  • Deploy technical controls such as enhanced logging, access restrictions, or DLP based on breach findings.
  • Revise access control policies to eliminate over-provisioned user permissions identified during the breach.
  • Retrain affected staff on data handling procedures within 14 days of incident closure.
  • Update risk assessments to reflect new threat vectors exposed by the breach.
  • Conduct a follow-up audit within 90 days to verify remediation effectiveness.
  • Incorporate breach lessons into annual security awareness training content.
  • Adjust insurance coverage based on breach frequency and financial impact trends.

Module 9: Auditing and Maintaining Breach Response Documentation

  • Archive complete breach files including investigation reports, notifications, and regulatory submissions.
  • Ensure documentation meets retention requirements of applicable laws (e.g., 6 years under HIPAA).
  • Conduct quarterly audits of breach response records for completeness and compliance.
  • Restrict access to breach documentation based on role and need-to-know principles.
  • Validate that all timestamps in logs are synchronized across systems for forensic accuracy.
  • Use metadata tagging to enable efficient retrieval during audits or legal discovery.
  • Integrate breach documentation into the organization’s information governance framework.
  • Perform annual validation of backup integrity for archived breach records.

Module 10: Continuous Improvement of Breach Notification Processes

  • Conduct a post-incident review meeting within 10 business days of breach resolution.
  • Measure response performance using KPIs such as time-to-detect, time-to-notify, and classification accuracy.
  • Update breach playbooks based on lessons learned and changes in threat landscape.
  • Simulate breach scenarios annually with cross-functional teams to test notification workflows.
  • Benchmark notification timelines against industry peers and regulatory expectations.
  • Incorporate feedback from regulators, patients, and internal stakeholders into process updates.
  • Align breach response improvements with updates to ISO 27799 and other relevant standards.
  • Report metrics and improvement initiatives to the board-level risk committee quarterly.
!