Skip to main content
Information Security Risk Assessments in ISO 27799

Information Security Risk Assessments in ISO 27799

$299.00
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Your guarantee:
30-day money-back guarantee — no questions asked
How you learn:
Self-paced • Lifetime updates
When you get access:
Course access is prepared after purchase and delivered via email
Who trusts this:
Trusted by professionals in 160+ countries
Adding to cart… The item has been added

This curriculum spans the full lifecycle of healthcare-specific risk assessments under ISO 27799, comparable in scope to a multi-phase internal capability program that integrates clinical operations, IT governance, and third-party risk management across complex health data environments.

Module 1: Establishing the Risk Assessment Framework

  • Select the scope boundaries for the risk assessment, including specific healthcare systems, data flows, and third-party interfaces subject to ISO 27799 controls.
  • Define risk criteria such as impact scales for confidentiality, integrity, and availability tailored to patient data sensitivity and regulatory exposure.
  • Determine whether to adopt qualitative, quantitative, or hybrid risk analysis methods based on data availability and organizational risk appetite.
  • Assign ownership for risk identification and treatment to clinical, IT, and compliance roles to ensure accountability.
  • Integrate the risk assessment framework with existing enterprise risk management (ERM) structures without duplicating controls.
  • Decide on the frequency of assessment cycles considering audit requirements, system changes, and incident trends.
  • Select risk register tools that support traceability from threats to controls and enable reporting to clinical and IT leadership.
  • Align the framework with jurisdictional requirements such as HIPAA, GDPR, or PIPEDA when managing cross-border health data.

Module 2: Asset Identification and Classification

  • Inventory all information assets containing personally identifiable health information (PHI), including structured databases and unstructured clinical notes.
  • Classify assets by sensitivity levels (e.g., diagnostic images vs. appointment logs) using ISO 27799-defined confidentiality requirements.
  • Map asset ownership to specific roles in clinical departments, ensuring custodians can enforce handling rules.
  • Document asset locations, including cloud-hosted EHR instances and mobile devices used by clinicians.
  • Identify shared assets across departments and define access protocols to prevent unauthorized cross-functional use.
  • Establish retention periods for each asset class based on clinical necessity and legal mandates.
  • Apply labeling mechanisms (e.g., metadata tags, watermarks) to digital and printed health records to enforce handling rules.
  • Update asset classifications following system upgrades or changes in data usage patterns.

Module 3: Threat and Vulnerability Analysis

  • Identify threat actors relevant to healthcare, such as insider staff, ransomware operators, and compromised third-party vendors.
  • Map known vulnerabilities in medical devices (e.g., infusion pumps, imaging systems) to applicable CVE entries and patch status.
  • Assess the exploitability of legacy systems that cannot be patched due to vendor support limitations.
  • Conduct threat modeling for high-risk workflows, such as telehealth sessions and remote diagnostics.
  • Use historical incident data from ISACs or internal logs to prioritize likely attack vectors.
  • Evaluate social engineering risks specific to clinical environments, including phishing targeting billing staff or impersonation of physicians.
  • Assess physical security gaps in areas where devices store unencrypted PHI, such as portable workstations on hospital carts.
  • Document zero-day risks in software used for patient monitoring and define compensating controls.
Module 4: Risk Evaluation and Prioritization
  • Score risks using a matrix that combines likelihood (based on threat frequency and control strength) and impact (on patient safety, legal liability).
  • Adjust risk ratings for scenarios involving life-critical systems, such as electronic medication administration records.
  • Compare residual risk levels against the organization’s risk appetite thresholds approved by the governance board.
  • Escalate high-priority risks that exceed tolerance levels to clinical and IT leadership for immediate action.
  • Identify risk interdependencies, such as a compromised authentication system enabling access to multiple health applications.
  • Document assumptions used in risk scoring to support audit and review processes.
  • Re-evaluate risk rankings after significant events, such as a data breach or integration of a new hospital wing.
  • Exclude risks deemed negligible based on control effectiveness, with justification recorded in the risk register.

Module 5: Control Selection and Implementation

  • Select ISO 27799-aligned controls for access management, such as role-based access for clinicians based on job function and patient load.
  • Implement encryption for data at rest and in transit, including configuration of TLS for EHR APIs and database encryption.
  • Deploy audit logging mechanisms on systems handling PHI, ensuring logs capture user IDs, timestamps, and accessed records.
  • Configure multi-factor authentication for remote access to clinical systems, balancing usability and security in emergency scenarios.
  • Establish data loss prevention (DLP) rules to block unauthorized transfers of patient data via email or USB.
  • Integrate controls for bring-your-own-device (BYOD) policies, including mobile device management (MDM) enrollment for physician smartphones.
  • Implement segregation of duties between system administrators and clinical data users to prevent privilege abuse.
  • Customize control parameters based on departmental workflows, such as relaxed screen timeout settings in ICU environments.

Module 6: Third-Party Risk Management

  • Conduct security assessments of cloud service providers hosting EHRs or medical imaging archives.
  • Negotiate business associate agreements (BAAs) that specify security responsibilities and breach notification timelines.
  • Verify third-party compliance with ISO 27001 and alignment with ISO 27799 control objectives.
  • Monitor vendor patch management practices for medical devices and software with internet connectivity.
  • Assess risks associated with data sharing through health information exchanges (HIEs) and API integrations.
  • Require third parties to provide evidence of incident response testing and breach history.
  • Enforce right-to-audit clauses for vendors with access to sensitive patient data.
  • Terminate or re-scope contracts with vendors failing to meet agreed-upon security benchmarks.

Module 7: Risk Treatment Planning

  • Develop treatment plans for high-risk findings, selecting between mitigation, transfer, acceptance, or avoidance strategies.
  • Assign risk treatment actions to specific owners with defined deadlines and resource allocations.
  • Justify risk acceptance decisions with documented approvals from clinical and executive leadership.
  • Coordinate treatment timelines with clinical schedules to avoid disrupting patient care during system changes.
  • Track implementation of compensating controls when primary controls cannot be applied immediately.
  • Integrate risk treatment milestones into project management tools used by IT operations.
  • Validate control effectiveness post-implementation through technical testing or user observation.
  • Maintain version-controlled records of all treatment decisions for regulatory audits.

Module 8: Monitoring and Review Mechanisms

  • Configure automated alerts for anomalous access patterns, such as bulk downloads of patient records by a single user.
  • Schedule periodic access reviews for privileged accounts in clinical information systems.
  • Conduct control effectiveness assessments using penetration testing focused on patient data repositories.
  • Review audit logs quarterly to detect unauthorized access or configuration drift in critical systems.
  • Update risk assessments following major changes, such as mergers, new EHR deployments, or policy revisions.
  • Use key risk indicators (KRIs) like failed login rates or unpatched device counts to track risk trends.
  • Report monitoring results to the information security steering committee with actionable insights.
  • Adjust monitoring scope based on emerging threats, such as new ransomware variants targeting healthcare.

Module 9: Integration with Clinical and Organizational Governance

  • Align risk assessment outcomes with clinical safety committees to address risks impacting patient outcomes.
  • Incorporate risk findings into capital planning for system upgrades and cybersecurity investments.
  • Present risk reports to the board using executive summaries that link technical risks to operational impact.
  • Coordinate with privacy officers to ensure risk treatments support compliance with data protection laws.
  • Embed risk assessment requirements into change management processes for IT and clinical workflows.
  • Train clinical leaders to recognize and report security incidents as part of routine governance.
  • Link risk register updates to internal audit schedules and external certification cycles.
  • Ensure continuity between risk assessments and business continuity planning for healthcare delivery.
!