Skip to main content
Information Security Audits in ISO 27799

Information Security Audits in ISO 27799

$349.00
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
Adding to cart… The item has been added

This curriculum spans the full lifecycle of healthcare information security audits, equivalent in depth to a multi-phase advisory engagement, covering asset classification, access governance, vendor risk, incident response, and continuous monitoring across clinical and administrative environments.

Module 1: Establishing the Audit Framework in Healthcare Contexts

  • Define audit scope to include both clinical and administrative systems, ensuring alignment with healthcare-specific data sensitivity requirements.
  • Select audit criteria based on ISO 27799 controls while mapping to jurisdictional healthcare regulations such as HIPAA or GDPR/Health.
  • Determine whether audits will be conducted internally by organizational staff or externally by third-party assessors with healthcare experience.
  • Obtain executive sponsorship and documented authority to access electronic health record (EHR) systems during audit execution.
  • Develop audit timelines that accommodate clinical workflows, avoiding peak operational periods such as shift changes or admissions surges.
  • Identify custodians of health data across departments (e.g., radiology, pharmacy) to ensure complete asset coverage.
  • Establish protocols for handling personally identifiable health information (PHI) during evidence collection and reporting.
  • Integrate audit planning with existing risk assessments to prioritize high-impact areas such as patient data repositories or interfaced systems.

Module 2: Asset Identification and Classification in Clinical Environments

  • Inventory all devices that process or store patient data, including mobile tablets used at point-of-care and legacy diagnostic equipment.
  • Classify data assets based on clinical impact (e.g., treatment records vs. billing data) rather than solely on confidentiality.
  • Document shared assets such as lab information systems that serve multiple departments with differing access needs.
  • Resolve conflicts between IT asset registers and clinical department records where equipment is acquired independently.
  • Apply data classification labels to structured (EHR) and unstructured (scanned documents, voice notes) health information.
  • Address shadow IT systems introduced by clinicians, such as personal cloud storage used for patient images.
  • Define ownership for hybrid systems where vendors maintain hardware but the organization controls data access.
  • Update asset classification when systems are decommissioned or repurposed, such as old workstations converted to training tools.

Module 3: Access Control Validation Across Healthcare Roles

  • Verify role-based access controls (RBAC) against actual clinical roles, including temporary staff and locum physicians.
  • Review access provisioning workflows to detect delays in deactivating accounts for terminated or rotated personnel.
  • Assess segregation of duties in prescribing and dispensing systems to prevent unauthorized medication access.
  • Test emergency override access in critical care systems to confirm logging and post-event review procedures.
  • Examine shared account usage in nursing stations and determine if individual accountability mechanisms are in place.
  • Evaluate biometric authentication systems for reliability in high-turnover clinical environments.
  • Validate multi-factor authentication enforcement on remote access to EHRs from home or mobile devices.
  • Check for excessive privileges in vendor support accounts used for system maintenance and updates.

Module 4: Audit Logging and Monitoring in Health Information Systems

  • Confirm that audit logs capture critical events such as record access, modifications, and print actions in EHRs.
  • Verify log integrity controls, including write-once storage or cryptographic hashing, to prevent tampering.
  • Assess log retention periods against legal requirements for medical record retention in the jurisdiction.
  • Evaluate SIEM integration with clinical systems to detect anomalous access patterns, such as off-hours record viewing.
  • Test alerting mechanisms for failed log transmission from isolated systems like standalone ultrasound machines.
  • Review procedures for log review frequency and assign responsibility to designated security or compliance officers.
  • Identify systems that do not support standardized logging formats, requiring manual checks or workarounds.
  • Ensure logging does not degrade system performance in time-sensitive clinical applications.

Module 5: Third-Party and Vendor Risk Assessment

  • Conduct on-site audits of cloud service providers hosting patient data to verify physical and logical security controls.
  • Review business associate agreements (BAAs) for alignment with ISO 27799 requirements on data protection.
  • Validate vendor patch management processes for medical devices with long support cycles.
  • Assess incident response coordination capabilities with third parties during data breach simulations.
  • Verify that subcontractors used by vendors are bound by equivalent security obligations.
  • Inspect remote access methods used by vendors for maintenance, ensuring session logging and time limits.
  • Evaluate data deletion verification processes when contracts with health IT vendors terminate.
  • Monitor vendor compliance status through periodic reassessments, not just at onboarding.

Module 6: Incident Response and Breach Management Audits

  • Test incident escalation paths involving both IT security teams and clinical leadership during simulated breaches.
  • Review documentation of past security incidents to assess root cause analysis and control improvements.
  • Verify that breach reporting timelines align with regulatory requirements (e.g., 72-hour HIPAA notifications).
  • Audit communication protocols for notifying patients and regulators without compromising ongoing investigations.
  • Assess integration of incident response plans with hospital disaster recovery and continuity of operations.
  • Validate forensic data preservation procedures for clinical devices that may serve as evidence sources.
  • Check that staff training includes recognition of phishing attempts targeting healthcare credentials.
  • Review post-incident access revocation and system re-hardening procedures.

Module 7: Physical and Environmental Security in Clinical Settings

  • Inspect access controls to server rooms and data centers located within hospital premises.
  • Assess physical safeguards for workstations in public areas such as emergency departments or outpatient clinics.
  • Verify that mobile devices used for patient documentation are secured when unattended during shifts.
  • Review policies for handling printed health records in nursing stations and diagnostic departments.
  • Test environmental controls (e.g., HVAC, fire suppression) in areas housing critical health IT infrastructure.
  • Confirm destruction methods for physical media containing patient data, including CDs and USB drives.
  • Evaluate visitor access protocols in areas with clinical systems, such as during equipment installation.
  • Monitor camera coverage and retention for entrances to data-sensitive zones like pharmacy or radiology.

Module 8: Policy Compliance and Staff Accountability

  • Conduct random checks of staff adherence to password policies on clinical workstations.
  • Review attestation records for security policy acknowledgment during employee onboarding and annually.
  • Assess consistency of disciplinary actions for policy violations across departments and roles.
  • Validate that training content reflects current threats, such as ransomware targeting hospital networks.
  • Check that contractors and temporary staff receive role-specific security briefings before system access.
  • Verify that policies address acceptable use of personal devices in clinical environments (BYOD).
  • Review policy version control and distribution mechanisms to ensure all staff access current versions.
  • Identify gaps in policy enforcement due to lack of automated monitoring tools.

Module 9: Audit Reporting and Remediation Tracking

  • Structure audit findings to differentiate between systemic issues and isolated incidents.
  • Assign risk ratings to findings based on potential impact to patient safety and data confidentiality.
  • Ensure audit reports are accessible to governance bodies such as the hospital privacy committee.
  • Define remediation timelines in collaboration with system owners, considering clinical dependencies.
  • Track closure of findings using a centralized system with evidence upload and approval workflows.
  • Validate that corrective actions address root causes, not just symptoms of control failures.
  • Conduct follow-up audits to verify sustainability of implemented fixes.
  • Archive audit reports and supporting evidence in accordance with legal retention requirements.

Module 10: Continuous Improvement and Maturity Assessment

  • Measure control effectiveness over time using key performance indicators (KPIs) such as patch latency or incident resolution time.
  • Conduct maturity assessments using ISO 27799-aligned models to identify capability gaps.
  • Compare audit results across departments to identify best practices for enterprise-wide adoption.
  • Integrate audit insights into annual risk assessment and strategic security planning cycles.
  • Review changes in healthcare regulations and update audit checklists accordingly.
  • Assess scalability of current audit processes as the organization adopts telehealth and IoT devices.
  • Engage clinical stakeholders in control design to improve usability and adoption.
  • Benchmark audit frequency and coverage against peer healthcare institutions.
!