Skip to main content
Information Security Controls in ISO 27799

Information Security Controls in ISO 27799

$349.00
When you get access:
Course access is prepared after purchase and delivered via email
Who trusts this:
Trusted by professionals in 160+ countries
Your guarantee:
30-day money-back guarantee — no questions asked
How you learn:
Self-paced • Lifetime updates
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Adding to cart… The item has been added

This curriculum spans the design and operational management of information security controls in healthcare organizations, comparable in scope to a multi-workshop advisory engagement focused on aligning ISO 27799 with clinical workflows, risk governance, and third-party oversight across complex care environments.

Module 1: Establishing the Governance Framework for Healthcare Information Security

  • Selecting and adapting ISO 27799 controls based on organizational size, care delivery model, and regulatory environment (e.g., HIPAA, GDPR).
  • Defining roles and responsibilities for data stewards, clinical information officers, and IT security teams within governance committees.
  • Integrating ISO 27799 requirements with existing enterprise risk management frameworks such as ISO 31000 or NIST RMF.
  • Determining the scope of protected health information (PHI) systems subject to governance oversight, including legacy and third-party platforms.
  • Establishing escalation paths for security incidents that impact clinical operations or patient safety.
  • Aligning security governance objectives with organizational priorities such as digital transformation or interoperability initiatives.
  • Developing a governance charter that specifies authority, decision rights, and review cycles for control effectiveness.
  • Implementing a documented process for reviewing and updating governance policies in response to audit findings or regulatory changes.

Module 2: Risk Assessment and Treatment Planning in Clinical Environments

  • Conducting asset inventories for medical devices, EHR systems, and mobile endpoints that process or store PHI.
  • Assigning risk owners for high-impact systems such as radiology PACS or pharmacy dispensing systems.
  • Applying threat modeling techniques to clinical workflows involving data exchange with laboratories or referral networks.
  • Selecting risk evaluation criteria that reflect both data confidentiality and system availability requirements for patient care.
  • Documenting risk treatment decisions, including acceptance, mitigation, transfer, or avoidance, with justification and timelines.
  • Integrating risk assessment outcomes into procurement processes for new health IT systems.
  • Establishing thresholds for residual risk that trigger executive reporting or board-level review.
  • Coordinating risk assessment activities across departments with differing risk tolerances (e.g., research vs. acute care).

Module 3: Access Control Design for Healthcare Systems

  • Implementing role-based access control (RBAC) models aligned with clinical job functions and care team structures.
  • Configuring just-in-time (JIT) access for temporary staff, locum physicians, and cross-facility providers.
  • Enforcing principle of least privilege in EHR systems while ensuring timely access during emergencies.
  • Managing access revocation workflows upon staff termination, role change, or contract expiration.
  • Integrating identity providers with HR systems to automate provisioning and deprovisioning.
  • Applying context-aware access policies based on location, device, and time of access request.
  • Monitoring and auditing access to sensitive data such as mental health records or HIV status.
  • Addressing access control challenges in shared workstation environments like nursing stations.

Module 4: Third-Party Risk Management for Health IT Vendors

  • Requiring ISO 27799-aligned security controls in contracts with cloud EHR providers and telehealth platform vendors.
  • Conducting on-site or remote security assessments of business associates handling PHI.
  • Defining audit rights and data return/destruction requirements in vendor agreements.
  • Evaluating vendor incident response capabilities and breach notification timelines.
  • Managing risk associated with subcontractors used by primary vendors (fourth-party risk).
  • Tracking vendor compliance status and control effectiveness through continuous monitoring tools.
  • Establishing a vendor risk scoring model that incorporates security, operational, and financial factors.
  • Coordinating vendor access to internal systems using privileged access management (PAM) solutions.

Module 5: Security Incident Management in Clinical Operations

  • Classifying incidents based on impact to patient care, data confidentiality, and regulatory reporting obligations.
  • Activating incident response teams that include clinical, legal, and communications stakeholders.
  • Preserving forensic evidence from medical devices and clinical systems without disrupting care delivery.
  • Coordinating breach notification processes with privacy officers and legal counsel within mandated timeframes.
  • Documenting root cause analysis for security events such as phishing compromises or ransomware attacks.
  • Implementing temporary compensating controls during incident containment and recovery phases.
  • Conducting post-incident reviews to update policies, controls, and training based on lessons learned.
  • Integrating incident data into organizational risk registers for trend analysis and strategic planning.

Module 6: Business Continuity and Availability of Clinical Systems

  • Classifying clinical applications by recovery time and point objectives (RTO/RPO) based on care impact.
  • Designing failover mechanisms for critical systems such as emergency department information systems.
  • Testing backup restoration procedures for structured and unstructured PHI, including imaging data.
  • Ensuring offline access capabilities for essential patient data during network outages.
  • Coordinating disaster recovery plans with regional health information exchanges or referral partners.
  • Validating backup integrity and encryption for offsite storage locations.
  • Documenting manual workarounds for clinical processes during extended system downtime.
  • Reviewing and updating business continuity plans annually or after significant infrastructure changes.

Module 7: Physical and Environmental Security for Healthcare Facilities

  • Securing server rooms and data centers located within hospitals or clinics with access logs and surveillance.
  • Controlling physical access to workstations in public areas such as waiting rooms or outpatient clinics.
  • Implementing cable locks and device tracking for laptops and tablets used in mobile care settings.
  • Managing visitor access to IT infrastructure areas with escort and logging requirements.
  • Protecting medical devices from tampering or unauthorized physical connections.
  • Applying environmental controls (e.g., HVAC, fire suppression) to data storage areas in compliance with equipment specifications.
  • Establishing procedures for secure disposal of PHI on decommissioned hardware and storage media.
  • Coordinating physical security policies with facility management and security personnel.

Module 8: Security Awareness and Role-Specific Training for Healthcare Staff

  • Developing training content tailored to clinical roles such as nurses, physicians, and administrative staff.
  • Conducting phishing simulation exercises with follow-up coaching for staff who fail tests.
  • Delivering just-in-time security reminders during EHR login or high-risk workflows.
  • Tracking completion rates and knowledge retention for mandatory annual security training.
  • Addressing cultural resistance to security practices perceived as barriers to patient care.
  • Training staff on secure use of personal devices in clinical settings (BYOD policies).
  • Updating training materials in response to new threats such as deepfake-based social engineering.
  • Measuring training effectiveness through behavioral metrics like incident reporting rates.

Module 9: Audit, Monitoring, and Continuous Control Validation

  • Configuring SIEM systems to collect and correlate logs from EHRs, medical devices, and network infrastructure.
  • Defining audit trails for privileged user activity in clinical systems with administrative access.
  • Establishing thresholds for anomaly detection in data access patterns (e.g., unusual volume or timing).
  • Conducting regular internal audits of ISO 27799 control implementation across departments.
  • Preparing for external audits by regulatory bodies or accreditation organizations.
  • Using automated control testing tools to validate configuration compliance on endpoints and servers.
  • Reporting control gaps and remediation progress to executive leadership and governance boards.
  • Integrating audit findings into the organization’s continuous improvement cycle for information security.

Module 10: Strategic Alignment and Performance Measurement of Security Controls

  • Mapping ISO 27799 controls to organizational KPIs such as breach frequency, mean time to detect, and audit compliance rate.
  • Presenting security performance dashboards to executive leadership using clinically relevant metrics.
  • Adjusting control investment based on risk exposure trends and threat intelligence.
  • Aligning security initiatives with enterprise goals such as patient satisfaction, care quality, and operational efficiency.
  • Conducting cost-benefit analyses for control enhancements, including opportunity costs to clinical workflows.
  • Engaging clinical leadership in control prioritization to ensure operational feasibility.
  • Reviewing control effectiveness annually and updating the security program based on maturity assessments.
  • Integrating patient safety considerations into security decision-making for connected medical devices.
!