Skip to main content
Information Security Controls Assessment in ISO 27799

Information Security Controls Assessment in ISO 27799

$349.00
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
Adding to cart… The item has been added

This curriculum spans the breadth and rigor of a multi-phase security assessment program, equivalent to an organization’s end-to-end effort to align clinical information systems with ISO 27799, from scoping and risk modeling through governance reporting.

Module 1: Scoping and Context Definition for Healthcare Information Assets

  • Determine which systems, applications, and data stores fall within the scope of ISO 27799 based on patient data handling and regulatory exposure.
  • Map ownership of clinical, administrative, and research data to accountable roles across departments such as HIM, IT, and compliance.
  • Negotiate scope boundaries with legal and clinical stakeholders when legacy systems lack audit capabilities but process PHI.
  • Classify data sensitivity levels (e.g., psychotherapy notes vs. billing records) to align with ISO 27799 control applicability.
  • Document jurisdictional overlaps where multiple regulations (HIPAA, GDPR, PIPEDA) apply to the same dataset.
  • Define exclusion justifications for outsourced services (e.g., cloud email) and ensure they are formally recorded and reviewed annually.
  • Integrate organizational risk appetite into scoping decisions, particularly when expanding telehealth platforms with third-party vendors.
  • Establish criteria for re-scoping triggered by mergers, new EHR implementations, or changes in regulatory enforcement patterns.

Module 2: Risk Assessment Methodology Aligned with ISO 27799

  • Select a risk assessment framework (e.g., OCTAVE, NIST SP 800-30) that supports healthcare-specific threat modeling, such as insider threats in clinical settings.
  • Identify threat actors specific to healthcare, including disgruntled staff, business associates with broad access, and ransomware actors targeting downtime.
  • Quantify impact using clinical harm scenarios (e.g., delayed treatment due to inaccessible records) in addition to financial and reputational metrics.
  • Adjust likelihood ratings based on observed control deficiencies in peer healthcare organizations during industry benchmarking.
  • Validate risk scenarios with clinical staff to ensure technical threats reflect real-world workflow disruptions.
  • Document residual risks that exceed tolerance levels and require escalation to the privacy and security steering committee.
  • Ensure risk assessment outputs directly inform control selection in subsequent modules, avoiding generic checklists.
  • Schedule risk reassessment triggers tied to significant events such as EHR upgrades or data center migrations.

Module 3: Access Control Design for Clinical and Administrative Roles

  • Implement role-based access control (RBAC) models that reflect clinical hierarchies (e.g., attending vs. resident) and non-clinical job functions.
  • Enforce least privilege by reviewing actual access logs and comparing them to role definitions during access certification cycles.
  • Design emergency access procedures that allow override access while ensuring real-time logging and post-event review.
  • Integrate Just-In-Time (JIT) access for third-party vendors supporting imaging systems or lab interfaces.
  • Address shared account usage in nursing stations by deploying session-level logging and user tagging at login.
  • Define access revocation timelines for terminated or transferred employees, synchronized with HR offboarding systems.
  • Configure dynamic access policies based on context, such as time-of-day restrictions for non-urgent data exports.
  • Test access control effectiveness through simulated insider threat exercises with red team participation.

Module 4: Asset Management and Data Lifecycle Controls

  • Maintain an up-to-date inventory of medical devices (e.g., infusion pumps, MRI machines) with embedded systems that process PHI.
  • Assign custodianship for data at each lifecycle stage, from collection at registration desks to archival in long-term repositories.
  • Define retention periods for different record types (e.g., adult vs. pediatric) in accordance with state and federal mandates.
  • Implement automated data aging rules in EHR systems to flag records eligible for archival or deletion.
  • Secure decommissioning of storage media containing PHI using NIST 800-88 sanitization standards and verification logs.
  • Track portable devices (e.g., loaner tablets for home health) through asset management systems with geolocation and remote wipe capability.
  • Enforce encryption requirements for data in transit between facilities, particularly when using public networks for teleradiology.
  • Conduct periodic data minimization audits to identify and purge unnecessary PHI stored in shadow systems or personal drives.

Module 5: Third-Party Risk Management in Healthcare Ecosystems

  • Assess business associate agreements (BAAs) for compliance with HIPAA and alignment with ISO 27799 control objectives.
  • Perform on-site assessments of cloud service providers hosting EHR modules, focusing on segregation and breach notification processes.
  • Require evidence of penetration testing and vulnerability management from medical device manufacturers with remote support access.
  • Implement continuous monitoring of third-party access logs, especially for billing and coding vendors with batch data extraction rights.
  • Negotiate audit rights in contracts to enable validation of security controls during the relationship lifecycle.
  • Map third-party services to critical care pathways to prioritize risk treatment for vendors supporting life-critical systems.
  • Enforce multi-factor authentication for all external users accessing internal clinical systems, regardless of BAA status.
  • Establish incident escalation protocols with joint response roles defined for breaches involving third-party systems.

Module 6: Incident Response and Breach Management Specific to PHI

  • Define criteria for classifying incidents involving PHI based on data type, volume, and potential for misuse (e.g., insurance fraud).
  • Integrate incident response playbooks with clinical operations to manage EHR outages without compromising patient care.
  • Activate breach notification workflows within 72 hours when unencrypted PHI is involved, per HIPAA requirements.
  • Preserve chain-of-custody for forensic evidence collected from clinical workstations during insider threat investigations.
  • Coordinate with legal counsel to determine whether a breach requires reporting to HHS, state regulators, and affected individuals.
  • Conduct post-incident reviews that include clinical leadership to assess workflow impact and prevent recurrence.
  • Simulate ransomware scenarios that encrypt patient records and evaluate recovery time objectives against clinical tolerances.
  • Maintain a centralized incident register that correlates events across SIEM, helpdesk, and compliance tracking systems.

Module 7: Physical and Environmental Security in Clinical Settings

  • Secure server rooms and data closets in hospitals with dual-factor access and video surveillance, considering 24/7 operational needs.
  • Install privacy filters on workstations in shared clinical areas such as emergency departments and nurses’ stations.
  • Enforce clean desk policies for work areas handling printed patient records, with daily audits in billing and registration.
  • Protect mobile devices used in home health with tamper-resistant cases and mandatory check-in/check-out procedures.
  • Design HVAC and power redundancy for data centers supporting real-time clinical decision support systems.
  • Control access to medical imaging archives stored on physical media with biometric entry and visitor logs.
  • Assess risks of patient or visitor access to unattended workstations during family visitation hours.
  • Validate physical security controls during disaster recovery drills that simulate site unavailability.

Module 8: Security Awareness and Role-Specific Training for Healthcare Staff

  • Develop phishing simulation campaigns using healthcare-themed lures (e.g., fake lab results, vaccine updates) to measure susceptibility.
  • Deliver role-based training modules for clinicians, coders, and IT staff emphasizing their unique control responsibilities.
  • Track completion rates and assessment scores for mandatory training, with escalation to supervisors for non-compliance.
  • Integrate security reminders into EHR login banners for high-risk actions such as mass download or external sharing.
  • Conduct tabletop exercises with department heads to practice responding to social engineering attempts.
  • Measure behavior change through audits of password posting, USB drive usage, and screen locking habits.
  • Update training content quarterly based on emerging threats observed in peer institutions or ISAC reports.
  • Engage clinical champions to model secure behaviors and reinforce messaging during team huddles and staff meetings.

Module 9: Audit, Monitoring, and Continuous Control Validation

  • Configure SIEM rules to detect anomalous access patterns, such as after-hours record reviews by non-treating staff.
  • Schedule quarterly control testing for critical safeguards, including access reviews, backup restoration, and firewall rule audits.
  • Integrate automated compliance checks into CI/CD pipelines for healthcare applications undergoing upgrades.
  • Perform independent audits of privilege escalation requests to verify approval trail completeness and business justification.
  • Use data loss prevention (DLP) tools to monitor and block unauthorized transfers of PHI via email or cloud storage.
  • Validate encryption status of databases and endpoints through agent-based scanning and centralized reporting.
  • Report control effectiveness metrics to the board using healthcare-specific KPIs, such as mean time to detect insider threats.
  • Adjust monitoring thresholds based on seasonal variations in clinical activity, such as flu season or system migrations.

Module 10: Governance Integration and Executive Reporting

  • Align ISO 27799 control objectives with enterprise risk management frameworks used by the executive team.
  • Present security metrics in context of clinical outcomes, such as impact on patient throughput during system outages.
  • Document control gaps and remediation plans in formats suitable for audit committees and board-level review.
  • Coordinate with privacy officers to ensure consistency between security controls and HIPAA compliance reporting.
  • Integrate findings from external audits and OCR investigations into the governance decision-making cycle.
  • Establish escalation paths for unresolved risks that exceed delegated authority levels within the security team.
  • Facilitate quarterly governance meetings with clinical, legal, and IT leadership to review control performance.
  • Link control investment decisions to strategic initiatives such as value-based care programs or population health platforms.
!